-
公开(公告)号:KR1020110022141A
公开(公告)日:2011-03-07
申请号:KR1020090079569
申请日:2009-08-27
Applicant: 한국전자통신연구원
CPC classification number: H04L63/1458 , H04L63/1416 , H04L63/168
Abstract: PURPOSE: A device and a method for detecting and blocking service attack of applied layer distribution are provided to enable a general user to continuously use a service by removing only attacker traffic by exactly extracting an internet address of an attacker. CONSTITUTION: An information collecting unit(104) monitors a service request packet which a plurality of server and a client request during a preset monitoring time. The information collecting unit collects data information transmitted by applied layer. A monitoring unit(106) set the monitoring time. The monitoring unit extracts traffic information in data information collected during a set monitoring time. An analyzing unit(108) determines whether an attack traffic exists or not by comparing the extracted traffic information with a previously learned traffic model.
Abstract translation: 目的:提供一种用于检测和阻止应用层分布的服务攻击的设备和方法,以使普通用户能够通过精确提取攻击者的互联网地址来仅消除攻击者流量来持续使用服务。 构成:信息收集单元(104)在预设的监视时间内监视多个服务器和客户端请求的服务请求分组。 信息收集单元收集应用层发送的数据信息。 监视单元(106)设置监视时间。 监视单元提取在设定的监视时间内收集的数据信息中的交通信息。 分析单元(108)通过将所提取的交通信息与先前学习的交通模型进行比较来确定是否存在攻击流量。
-
公开(公告)号:KR1020100068903A
公开(公告)日:2010-06-24
申请号:KR1020080127416
申请日:2008-12-15
Applicant: 한국전자통신연구원
CPC classification number: G06F17/30569 , G06F9/00 , G06F9/448 , G06F9/4494
Abstract: PURPOSE: A device and a method determining the execution compression of PE files are provided to judge regardless of a compression method whether or not execution is compressed and to improve detection efficiency thereof. CONSTITUTION: A header analyzer(10) analyzes a header structure of a target file and confirms a PE (Portable Executable) file. If the object file is a PE file, a header information collector(20) generates the first record including characteristic value which is shown on a header of a packed PE file. A header information measurer(30) calculates similarity between the second records including characteristic value collected from the first record and a non-packed PE file. An execution compression determination unit(40) determines based on the similarity whether execution is compressed.
Abstract translation: 目的:提供一种确定PE文件的执行压缩的设备和方法,以判断压缩方法是否被压缩,并提高其检测效率。 规定:标题分析器(10)分析目标文件的标题结构,并确认PE(便携式可执行文件)文件。 如果目标文件是PE文件,则报头信息收集器(20)生成包含在打包的PE文件的报头上显示的特征值的第一记录。 标题信息测量器(30)计算包括从第一记录收集的特征值的第二记录与非包装PE文件之间的相似度。 执行压缩确定单元(40)基于相似性确定执行是否被压缩。
-
公开(公告)号:KR1020090066142A
公开(公告)日:2009-06-23
申请号:KR1020070133772
申请日:2007-12-18
Applicant: 한국전자통신연구원
CPC classification number: H04L63/1416 , G06F21/566
Abstract: A polymorphic shell code detection method is provided to reduce operation overhead without missing corresponding instruction by performing a reverse assemble for detecting the instruction searching an address of the encoded code. An execution code address is stored in a register table(S100). In case the register item in which the executable code address is stored is used as the input of an instruction, the instruction defining rest register item is detected(S400). An emulation is performed from the instruction storing the executable code address in a stack or instructions defining rest register items from the first instruction. If the emulation result is stored in the memory, the input data is determined as a polymorphic shell code(S500).
Abstract translation: 提供多态shell代码检测方法以减少操作开销而不丢失对应指令,通过执行用于检测编码代码的地址的指令的反向组合。 执行代码地址存储在寄存器表中(S100)。 在存储可执行代码地址的寄存器项目被用作指令的输入的情况下,检测定义休止寄存器项目的指令(S400)。 从存储堆栈中的可执行代码地址的指令或从第一指令定义休眠寄存器项的指令执行仿真。 如果仿真结果存储在存储器中,则输入数据被确定为多态shell代码(S500)。
-
公开(公告)号:KR100895102B1
公开(公告)日:2009-04-28
申请号:KR1020070049071
申请日:2007-05-21
Applicant: 한국전자통신연구원
CPC classification number: H04L69/22
Abstract: 본 발명은 파일 탐색 시스템 및 방법에 관한 것이다.
본 발명에 따르면, 파일 탐색 시스템은 파일 헤더의 시그너처를 이용해 네트워크로 송수신되는 패킷들 중에서 검색하고자 하는 파일이 포함된 네트워크 패킷을 수집한다. 이후, 수집된 네트워크 패킷에서 네트워크 프로토콜 헤더를 제거한 후 순서에 맞게 재구성하여 파일을 복원한다. 이렇게 복원된 파일은 정확성 검증을 거친 뒤, 검증된 파일에 한해서 다양한 파일 분석 시스템으로 전송 된다.
파일 검색, 파일 헤더, 실행 파일, 시그너처, 네트워크 패킷-
公开(公告)号:KR1020080102505A
公开(公告)日:2008-11-26
申请号:KR1020070049071
申请日:2007-05-21
Applicant: 한국전자통신연구원
CPC classification number: H04L69/22 , G06F11/1402 , G06F17/2725 , G06F17/30973
Abstract: A file search system and a method for collecting a desired file form from a network packet by using a signature of a file header of a file format desiring the analysis are provided to collect the network packet including a packet needing to analyze of the network packet transceived in network. A network packet is collected. A file network packet including a file of a desired file format of network packets collected based on the signature of a file header of the desired file format is extracted(110). The file is restored through the file network packet(120). The network packet including a packet needing to analyze the network packet transceived in network is collected.
Abstract translation: 提供文件搜索系统和通过使用希望分析的文件格式的文件头的签名从网络包收集所需文件形式的方法来收集包括需要分析的网络分组的网络分组 在网络中。 收集网络数据包。 提取包括基于所需文件格式的文件头的签名而收集的网络包的期望文件格式的文件的文件网络分组(110)。 该文件通过文件网络数据包(120)恢复。 收集包含需要分析网络中收发的网络报文的报文的网络报文。
-
Patent Agency Ranking
公开(公告)号:KR1020060067124A
公开(公告)日:2006-06-19
申请号:KR1020050058362
申请日:2005-06-30
Applicant: 한국전자통신연구원
Abstract: 본 발명은 가입자 네트워크 정보 보호 수준 평가를 위한 방법 및 그 장치를 개시한다.
본 발명에 의하면, 가입자 네트워크의 보안을 평가하는 방법에 있어서, 네트워크에 연결되어 있는 각 보안 장비들이 제공하는 보안 기능들을 각 보안 장비별로 수집하고, 수집된 보안 기능들을 보호 기능의 종류와 역할 및 중요도에 따라 각 보안 장비별로 분류하며, 분류된 보안 기능마다 점수 및 가중치를 부여하고, 각 보안 장비별로 보안 기능에 대한 점수를 계산하여 보안 등급을 결정하여, 해당 네트워크가 내부나 외부로부터의 사이버 공격에 대하여 어느 정도의 보호 기능들을 갖추고 있는지를 보다 객관적으로 평가할 수 있으며, 이를 이용하여 보안 기능에 대한 사전 평가가 가능하고 그 결과를 바탕으로 정보보호 기능들을 강화하거나 보완할 수 있는 방법을 제시한다.-
公开(公告)号:KR1020050051218A
公开(公告)日:2005-06-01
申请号:KR1020030084976
申请日:2003-11-27
Applicant: 한국전자통신연구원
IPC: H04L12/22
CPC classification number: H04L63/1425 , H04L63/1441 , H04L2463/146
Abstract: 역추적 관리 시스템 및 그 방법이 개시된다. 역추적 결과 확인부는 역추적 시스템의 역추적 진행 상황과 결과를 포함하는 역추적 정보를 요청하는 명령을 역추적 시스템 측에 구비된 소정의 역추적 관리 에이전트로 전송한다. 역추적 시스템 관리부는 역추적 시스템의 시작, 정지, 재시작을 포함하는 동작 제어 명령을 역추적 관리 에이전트로 전송한다. 로그 확인부는 역추적 시스템에서 수행하는 역추적과 관련된 각종 로그 기록을 요청하는 명령을 상기 역추적 관리 에이전트로 전송한다. 이로써, 원격지에서 다수의 역추적 시스템을 효율적으로 제어하고 관리할 수 있다
-
48.发明授权
公开(公告)号:KR100468232B1
公开(公告)日:2005-01-26
申请号:KR1020020008654
申请日:2002-02-19
Applicant: 한국전자통신연구원
IPC: H04L12/22
CPC classification number: H04L63/1425 , G06F21/552 , H04L2463/146
Abstract: Disclosed is a network-based attack tracing system and method using a distributed attack detection agent and manager system that can detect and trace an attack path of a hacker in real time on the whole network using distributed network-based attack detection agent, request manager, and reply manager. The agent detects an attack using a network-based intrusion detection system (NIDS), analyzes an alarm log that is judged to be the attack, changes the analyzed alarm log into attack information, and transmits the attack information to the request manager. The request manager performs a search of an attack IP based on the attack information received from the agent, stores a result of search in a tree structure, and if a final search is completed, extracts a hacking path using a binary search tree (BST) algorithm. The reply manager searches an alarm log DB located in the agent of its own network in response to the attack information search request from the request manager, and transmits a result of search to the request manager. The system and method can use the detection function of the existing NIDS at maximum, control unnecessary tracing requests during the process of judging many alarm logs as the attack logs, and broaden its application range in case of the authenticated network.
Abstract translation: 公开了一种使用分布式攻击检测代理和管理器系统的基于网络的攻击跟踪系统和方法,该系统和方法能够使用基于分布式网络的攻击检测代理,请求管理器来实时在整个网络上检测和跟踪黑客的攻击路径, 和回复经理。 代理使用基于网络的入侵检测系统(NIDS)检测攻击,分析被判定为攻击的警报日志,将分析的警报日志更改为攻击信息,并将攻击信息发送给请求管理器。 请求管理器基于从代理接收的攻击信息执行攻击IP的搜索,将搜索结果存储在树结构中,并且如果最终搜索完成,则使用二叉搜索树(BST)提取黑客路径, 算法。 响应管理器响应于来自请求管理器的攻击信息搜索请求,搜索位于其自己网络的代理中的警报日志DB,并将搜索结果发送给请求管理器。 该系统和方法可以最大限度地利用现有NIDS的检测功能,在将多个告警日志判断为攻击日志的过程中控制不必要的跟踪请求,并且在认证网络的情况下扩大其应用范围。
-
公开(公告)号:KR1020040050570A
公开(公告)日:2004-06-16
申请号:KR1020020078427
申请日:2002-12-10
Applicant: 한국전자통신연구원
IPC: H04N21/80 , H04N21/8358
Abstract: PURPOSE: A response watermark generating/inserting apparatus for tracing back connection attack and a method therefor are provided to easily trace back a packet by inserting a watermark capable of discrimination into contents of a response packet of a damage system hacked by a hacker. CONSTITUTION: A packet check module(10) receives all packets through a network interface card(S1), and performs a test for searching a response packet corresponding to a damage system among the received packets. A watermark generating module(20) provides the response packet searched by the packet check module(10), and generates a packet watermark corresponding to the response packet. A watermark inserting module(30) inserts the packet watermark into a TCP(Transmission Control Protocol) data region in the response packet provided by the watermark generating module(20). A watermark packet transmitting module(40) transmits the packet provided from the watermark inserting module(30) through a network interface card(S2).
Abstract translation: 目的:提供一种用于跟踪连接攻击的响应水印生成/插入装置及其方法,用于通过将能够识别的水印插入到由黑客攻击的损坏系统的响应分组的内容中来容易地追溯分组。 构成:数据包检查模块(10)通过网络接口卡(S1)接收所有数据包,并对接收到的数据包中的损坏系统进行对应的响应包进行检测。 水印生成模块(20)提供由分组检查模块(10)搜索到的响应分组,并生成与响应分组对应的分组水印。 水印插入模块(30)将分组水印插入由水印生成模块(20)提供的响应分组中的TCP(传输控制协议)数据区域中。 水印分组发送模块(40)通过网络接口卡(S2)发送从水印插入模块(30)提供的分组。
-
公开(公告)号:KR1020030046581A
公开(公告)日:2003-06-18
申请号:KR1020010076442
申请日:2001-12-05
Applicant: 한국전자통신연구원
IPC: H04L12/22
CPC classification number: G06F21/566 , G06F9/544 , G06F21/50 , G06F21/57
Abstract: PURPOSE: A real time buffer overflow hacking detecting method is provided to detect and prevent a buffer overflow hacking attempt to a system by analyzing a system call generation position on a real time basis and detecting an unknown hacking form. CONSTITUTION: It is judged whether a system call paging has occurred(S401). If the system call paging has occurred, a system call generation address is extracted(S402). The extracted address is compared to a normal process memory region(S403). It is judged whether the system call paging has occurred in a stack region of a memory(S404). If the system call paging has occurred in the stack region of the memory, the system call paging is compared with a system call list(S405), to judge whether it is on the system call list(S406). If the system call paging has not occurred in the stack region of the memory, the system call is normally processed(S407). If the system call is on the system call list, a corresponding process is stopped and an alarm is provided to a system manager(S408).
Abstract translation: 目的:提供实时缓冲区溢出黑客检测方法,通过实时分析系统呼叫生成位置和检测未知的黑客攻击形式来检测和防止对系统的缓冲区溢出黑客攻击。 构成:判断是否发生了系统呼叫寻呼(S401)。 如果发生系统呼叫寻呼,则提取系统呼叫生成地址(S402)。 提取的地址与正常的处理存储器区域进行比较(S403)。 判断是否在存储器的堆栈区域中发生了系统呼叫寻呼(S404)。 如果在存储器的堆栈区域中发生了系统呼叫寻呼,则将系统呼叫寻呼与系统呼叫列表进行比较(S405),以判断其是否在系统呼叫列表上(S406)。 如果在存储器的堆栈区域没有发生系统呼叫寻呼,则通常对系统调用进行处理(S407)。 如果系统呼叫在系统呼叫列表上,则相应的进程停止并向系统管理器提供警报(S408)。
-
-
-
-
-
-
-
-
-
Search Results
66
records
(took 0.024 seconds)
