-
公开(公告)号:KR1020080050265A
公开(公告)日:2008-06-05
申请号:KR1020070076950
申请日:2007-07-31
Applicant: 한국전자통신연구원
Abstract: An attack pattern processing system and a method for the same are provided to watch various types of malicious traffic by efficiently arranging and storing no-case sensitive attack patterns and case sensitive attack patterns at a limited memory resource, and managing no-case sensitive attack patterns and the case sensitive attack patterns of the same strings on the same memory. An attack pattern processing system includes a memory(53), pattern converters(51,55) converting an attack pattern to be stored at the memory in accordance with a predetermined pattern conversion rule, and a hash function processor(52) obtaining a hash value of the converted attack pattern and storing the converted attack pattern information at an area of the memory corresponding to the obtained hash value. The attack pattern information consists of an attack pattern except a final letter of the attack pattern and information bits. The information bits include at least one of a bit representing whether the stored attack pattern is a no-case sensitive pattern, a bit representing whether the stored attack pattern is a case sensitive pattern, and a bit representing whether the final letter is capital or small.
Abstract translation: 提供了一种攻击格式处理系统及其方法,用于通过在有限的存储器资源上有效地布置和存储不敏感的攻击模式和区分大小写的攻击模式来监视各种恶意流量,并且管理不区分大小写的攻击模式 和同一个内存上相同字符串的区分大小写攻击模式。 攻击模式处理系统包括存储器(53),根据预定模式转换规则转换要存储在存储器中的攻击模式的模式转换器(51,55)以及获得散列值的散列函数处理器(52) 的转换的攻击模式,并将转换的攻击模式信息存储在与所获得的哈希值相对应的存储器的区域。 攻击模式信息由除了攻击模式和信息位的最后一个字母之外的攻击模式组成。 所述信息位包括表示所存储的攻击模式是否为无区分大小写的位中的至少一个,表示所存储的攻击模式是否为区分大小写的模式的位以及表示最终字母是大写还是小的位 。
-
公开(公告)号:KR1020070060865A
公开(公告)日:2007-06-13
申请号:KR1020050120990
申请日:2005-12-09
Applicant: 한국전자통신연구원
IPC: H04L12/22
CPC classification number: H04L12/5602
Abstract: A method for storing a pattern matching policy and an alarm control method are provided to apply more traffic patterns to a limited hardware memory by efficiently using the memory in a hardware-based high performance pattern matching engine. A contents structure matched with the header structure of stored traffic is generated in the header structure, where the header structure is a policy to be newly applied for a pattern matching device(S210). It is checked whether contents of the stored traffic are the same as contents of an original traffic previously stored in the pattern matching device(S212). When the contents are the same, the same contents index as that of the contents of the original traffic is given to contents of the stored traffic(S214,S216). It is checked whether the number of contents structures belonging to a header structure of the original traffic is 1, and if the number of contents structures is 1, header index of the stored traffic is given as a header index of the original traffic(S218,S220,S222).
Abstract translation: 提供了一种用于存储模式匹配策略和报警控制方法的方法,用于通过在基于硬件的高性能模式匹配引擎中有效地使用存储器来将更多流量模式应用于有限硬件存储器。 在头部结构中生成与存储的流量的头部结构相匹配的内容结构,其中头部结构是对图案匹配装置新应用的策略(S210)。 检查所存储的流量的内容是否与先前存储在模式匹配装置中的原始流量的内容相同(S212)。 当内容相同时,将与原始流量的内容相同的内容索引赋予存储的流量的内容(S214,S216)。 检查属于原始业务的报头结构的内容结构的数量是否为1,并且如果内容结构的数量为1,则将存储的业务的报头索引作为原始业务的报头索引给出(S218, S220,S222)。
-
Patent Agency Ranking
公开(公告)号:KR1020060013815A
公开(公告)日:2006-02-14
申请号:KR1020040062415
申请日:2004-08-09
Applicant: 한국전자통신연구원
IPC: H04L12/22
CPC classification number: H04L63/1408 , G06F7/74 , G06F17/30949
Abstract: 본 발명은 해쉬 테이블 주소 분산 장치 및 방법, 이를 이용한 패턴매칭 장치에 관한 것으로, 침해 규칙을 구성하는 문자열 각각의 바이트를 소정의 비트수만큼 확장하여 각각의 바이트에 대하여 문자열내의 순서 -1만큼 좌측 또는 우측으로 쉬프팅하고, 상기 문자열내 순서 -1만큼의 쉬프팅된 최상위 비트들을 문자열내 순서 -1만큼의 최하위 비트에 제공하여 각 바이트에 대하여 스펙트럼을 분산시킨 후, 스펙트럼 분산된 모든 바이트에 대하여 소정의 해쉬함수를 적용함으로써 빠른 패턴매칭을 수행하게 한다.
침입 탐지, 침해 규칙, 고속 패턴 매칭, 해쉬 테이블-
公开(公告)号:KR1020050032765A
公开(公告)日:2005-04-08
申请号:KR1020030068718
申请日:2003-10-02
Applicant: 한국전자통신연구원
IPC: H04L9/00
CPC classification number: H04L63/1416 , H04L63/0245
Abstract: A system for detecting/preventing in-line mode network intrusion and a method for the same are provided to rapidly respond to the network intrusion by processing the network intrusion and the invasion prevention in real time. A system for detecting/preventing in-line mode network intrusion includes a first network processor unit(221), a second network processor unit(231) and a personal computer(240). The first network processor unit(221) collects various statistical value data in response to the metering rule by monitoring the packet data unit(PDU) received from outside and selectively discards or passes the received PDU in response to the packet blocking rule and manufactures the copied PDU in response to the sensing rule. The second network processor unit(231) detects the protection and the intrusion state between the networks by using at least one invasion signature for the payload of the PDU received from the first network processor unit(221). And, the personal computer(240) generates or updates the packet prevention rule for preventing the intrusion detected from the second network processor unit(231) to supply the packet prevention rule to the first network processor unit(221).
Abstract translation: 提供用于检测/防止在线模式网络入侵的系统及其方法,以通过实时处理网络入侵和入侵防御来快速响应网络入侵。 用于检测/防止串联模式网络入侵的系统包括第一网络处理器单元(221),第二网络处理器单元(231)和个人计算机(240)。 第一网络处理器单元(221)通过监视从外部接收到的分组数据单元(PDU)来响应于计费规则来收集各种统计值数据,并且响应于分组阻塞规则选择性地丢弃或传递接收到的PDU,并且制造复制 PDU响应感测规则。 第二网络处理器单元(231)通过使用从第一网络处理器单元(221)接收的PDU的有效载荷的至少一个入侵签名来检测网络之间的保护和入侵状态。 并且,个人计算机(240)生成或更新用于防止从第二网络处理器单元(231)检测到的入侵的数据包防止规则,以将数据包防止规则提供给第一网络处理器单元(221)。
-
公开(公告)号:KR100432421B1
公开(公告)日:2004-05-22
申请号:KR1020010082498
申请日:2001-12-21
Applicant: 한국전자통신연구원
IPC: G06F15/00
Abstract: PURPOSE: A method for analyzing a relation to an attack and a recording medium therefor are provided to supply various statistical and probable analysis data with respect to a currently executed attack by constructing intrusion prevention data to a knowledge base for using a network flexibly and executing an attack relation analysis. CONSTITUTION: It is checked whether the same attack is generated frequently and continuously(S1). A similar attack action is analyzed and a similar frequency is measured(S2). A latency of an attack is analyzed(S3). A possibility of the next attack and an attack method are estimated statistically(S4). Relation analysis data with respect to the generated attack are calculated based on the analyzed results. A knowledge base of intrusion detection data is constructed based on the calculated relation analysis data(S5).
Abstract translation: 目的:提供一种用于分析与攻击的关系的方法及其记录介质,以通过将入侵防止数据构建到知识库以灵活地使用网络并执行一个或多个关于当前执行的攻击的关于当前执行的攻击的各种统计和可能的分析数据 攻击关系分析。 构成:检查是否频繁且连续地产生相同的攻击(S1)。 分析类似的攻击行为并测量相似的频率(S2)。 分析攻击的延迟(S3)。 在统计上估计下一次攻击和攻击方法的可能性(S4)。 根据分析结果计算关于生成的攻击的关系分析数据。 基于计算出的关系分析数据构建入侵检测数据的知识库(S5)。
-
公开(公告)号:KR100432168B1
公开(公告)日:2004-05-17
申请号:KR1020010086312
申请日:2001-12-27
Applicant: 한국전자통신연구원
IPC: H04L12/22
Abstract: PURPOSE: A security gateway system using multiple intrusion detection objects and an intrusion detection method are provided to judge whether intrusion occurs, by generating the multiple intrusion detection objects on the basis of object-oriented modeling and analyzing contraction observation data with respect to a network packet according to each intrusion detection object. CONSTITUTION: A network packet information extracting and transmitting device(205) receives a network packet from a lower network layer, and generates contraction observation data. A network intrusion detection performing device(203) analyzes whether intrusion occurs by the contraction observation data generated in the network packet information extracting and transmitting device(205), and provides the analyzed result. An intrusion pattern database(204) stores intrusion patterns required for judging whether the intrusion occurs in the network intrusion detection performing device(203). A cyber patrol agent(202) manages the entire security gateway system, and generates and transmits an alarm message. An alarm processing device(201) transmits policy and the alarm message from the cyber patrol agent(202).
Abstract translation: 目的:提供一种使用多个入侵检测对象和入侵检测方法的安全网关系统,通过基于面向对象建模生成多个入侵检测对象并分析关于网络分组的收缩观察数据来判断入侵是否发生 根据每个入侵检测对象。 组成:网络分组信息提取和发送设备(205)从下层网络层接收网络分组,并产生收缩观察数据。 网络入侵检测执行设备(203)通过在网络分组信息提取和发送设备(205)中生成的收缩观察数据来分析是否发生入侵,并提供分析结果。 入侵模式数据库(204)存储用于判断网络入侵检测执行设备(203)中是否发生入侵所需的入侵模式。 网络巡逻代理(202)管理整个安全网关系统,并生成并发送警报消息。 警报处理设备(201)从网络巡逻代理(202)发送策略和警报消息。
-
公开(公告)号:KR1020030056148A
公开(公告)日:2003-07-04
申请号:KR1020010086312
申请日:2001-12-27
Applicant: 한국전자통신연구원
IPC: H04L12/22
CPC classification number: H04L63/1416 , H04L63/1433 , H04L63/1441
Abstract: PURPOSE: A security gateway system using multiple intrusion detection objects and an intrusion detection method are provided to judge whether intrusion occurs, by generating the multiple intrusion detection objects on the basis of object-oriented modeling and analyzing contraction observation data with respect to a network packet according to each intrusion detection object. CONSTITUTION: A network packet information extracting and transmitting device(205) receives a network packet from a lower network layer, and generates contraction observation data. A network intrusion detection performing device(203) analyzes whether intrusion occurs by the contraction observation data generated in the network packet information extracting and transmitting device(205), and provides the analyzed result. An intrusion pattern database(204) stores intrusion patterns required for judging whether the intrusion occurs in the network intrusion detection performing device(203). A cyber patrol agent(202) manages the entire security gateway system, and generates and transmits an alarm message. An alarm processing device(201) transmits policy and the alarm message from the cyber patrol agent(202).
Abstract translation: 目的:提供一种使用多个入侵检测对象和入侵检测方法的安全网关系统,通过在面向对象建模的基础上生成多个入侵检测对象并分析相对于网络包的收缩观察数据,来判断是否发生入侵 根据每个入侵检测对象。 构成:网络分组信息提取与发送装置(205)从下层网络层接收网络分组,生成收缩观察数据。 网络入侵检测执行装置(203)通过网络分组信息提取和发送装置(205)中生成的收缩观察数据来分析入侵是否发生,并提供分析结果。 入侵模式数据库(204)存储用于判断入侵检测执行装置(203)中是否发生入侵所需的入侵模式。 网络巡逻代理(202)管理整个安全网关系统,并生成并发送警报消息。 报警处理装置(201)从网络巡逻代理(202)发送策略和报警消息。
-
-
-
-
-
-
Search Results
77
records
(took 0.026 seconds)
