-
公开(公告)号:KR1020140035678A
公开(公告)日:2014-03-24
申请号:KR1020120102239
申请日:2012-09-14
Applicant: 한국전자통신연구원
CPC classification number: H04L63/1425 , H04L41/142 , H04L43/04 , H04L2463/144
Abstract: A learning type DNS analyzer for monitoring DNS traffic and discovering abnormal domain and an analysis method thereof are provided. The present invention relates to a DNS analyzer and is to provide a DNS analyzer which generates and analyzes statistics about DNS traffic and discovers a domain name which is infected by malicious codes and is being inquired as an abnormal domain. An analysis component and a classification rule for discovering an abnormal domain is generated through learning about pre-given normal and abnormal domain data and continuously updated through a learning data log which is obtained by analyzing the DNS traffic. Therefore, the abnormal domain discovery of the DNS analyzer can be continuously improved. [Reference numerals] (100) DNS analyzer; (110) DNS data collection unit; (120) Database unit; (122) DNS data; (124) DNS traffic statistics; (126) Comparison statistics; (128) Abnormal domain statistics; (132) White list; (134) Black list; (136) Learning data log; (140) Statistics processing unit; (142) DNS traffic statistics module; (144) Abnormal domain statistics module; (146) Comparison statistics module; (150) Abnormal domain detection unit; (152) Filtering module; (154) Classification module; (156) Learning module; (160) User interface unit; (AA) DNS server; (BB) Network
Abstract translation: 提供了一种用于监控DNS流量并发现异常域的学习型DNS分析器及其分析方法。 DNS分析器技术领域本发明涉及DNS分析器,并且提供一种DNS分析器,其生成并分析关于DNS业务的统计信息,并且发现被恶意代码感染并被查询为异常域的域名。 通过学习关于预先给定的正常和异常域数据,并通过分析DNS流量获得的学习数据日志不断更新来分析产生异常域的分析组件和分类规则。 因此,可以不断改进DNS分析器的异常域发现。 (附图标记)(100)DNS分析仪; (110)DNS数据采集单元; (120)数据库单元; (122)DNS数据; (124)DNS流量统计; (126)比较统计; (128)异常域统计; (132)白名单; (134)黑名单; (136)学习数据日志; (140)统计处理单位; (142)DNS流量统计模块; (144)异常域统计模块; (146)比较统计模块; (150)异常域检测单元; (152)过滤模块; (154)分类模块; (156)学习模块; (160)用户界面单元; (AA)DNS服务器; (BB)网络
-
公开(公告)号:KR1020130132261A
公开(公告)日:2013-12-04
申请号:KR1020130022675
申请日:2013-03-04
Applicant: 한국전자통신연구원
Abstract: The present invention relates to a method and an apparatus for quantifying threat conditions to recognize network threat in advance. The disclosed threat condition quantification method comprises a step of extracting a doubt domain by analyzing the packet pattern of a DNS traffic generated in a monitoring target network; a step of giving a corresponding security level to the predetermined security level according to the result for grasping the access IP in which the doubt domain is connected; a step of calculating an activation index according to a monitoring result of the doubt domain; a step of inferring the predicted attack amount in each doubt domain according to the predicted attack amount and the security level in each zombie computer. Therefore, the present invention recognizes the network threat condition in advance, prevents the attack based on the doubt domain and the predicted attack amount information, and generates an alarm for preventing the threat condition. [Reference numerals] (AA) START;(BB) END;(S201) Traffic packet pattern analysis;(S203) Doubt domain extraction;(S205) Access IP grasp;(S207) Security level provision;(S209) Access IP monitoring;(S211) Activation index calculation;(S213) Minimum prediction attack amount calculation;(S215) Maximum prediction attack amount calculation;(S217) Estimating prediction attack amount in each doubt domain
Abstract translation: 本发明涉及一种用于量化威胁状况以便事先识别网络威胁的方法和装置。 所公开的威胁状态量化方法包括通过分析在监控目标网络中生成的DNS流量的分组模式来提取怀疑域的步骤; 根据用于掌握其中连接有疑问域的接入IP的结果,将相应的安全级别提供给预定安全级别的步骤; 根据怀疑域的监视结果计算激活指数的步骤; 根据预测的攻击量和每个僵尸计算机的安全级别来推断每个疑问域中的预测攻击量的步骤。 因此,本发明提前识别网络威胁状况,防止基于怀疑域和预测攻击量信息的攻击,并且生成用于防止威胁状况的警报。 (S20)访问IP抓取;(S207)安全级别提供;(S209)访问IP监视;(S203)访问IP监视; (S211)激活指数计算;(S213)最小预测攻击量计算;(S215)最大预测攻击量计算;(S217)估计每个疑问域中的预测攻击量
-
公开(公告)号:KR1020130014300A
公开(公告)日:2013-02-07
申请号:KR1020110103255
申请日:2011-10-10
Applicant: 한국전자통신연구원
Inventor: 임선희
Abstract: 본발명에따른사이버위협사전예측장치는, DNS 트래픽을분석하여 C&C 서버로의심되는도메인주소를추출하는 DNS 기반 C&C 서버탐지부; 네트워크트래픽을분석하여상기 C&C 서버에접속하는좀비 PC들의 IP 주소를검출하고좀비 PC들의정보를탐지하는네트워크기반비정상탐지부; 및상기좀비 PC들의정보를기반으로사이버위협상황을예측하는사이버위협예측부를포함하는것을특징으로한다.
Abstract translation: 目的:提供一种网络威胁预测装置及其方法,通过确定僵尸网络作为网络威胁的标志来预测全球网络的广泛攻击。 规定:基于DNS(域名系统)的C&C(计算机和通信)服务器检测单元(210)通过分析DNS流量来提取被认为是C&C服务器的域地址。 基于网络的异常检测单元(220)检测僵尸PC(个人计算机)的信息,并通过分析网络流量来检测僵尸PC的IP地址。 网络威胁预测单元(230)基于僵尸PC的信息预测网络威胁状况。 基于网络的异常检测单元安装在国际门禁网络中。 基于DNS的C&C服务器检测单元基于N层服务器,流量特性和域地址来分析DNS流量。 (210)基于DNS的C&C服务器检测单元; (220)网络异常检测单元; (230)网络威胁预测单元; (AA)DNS服务器场; (BB)国际门网
-
公开(公告)号:KR100651719B1
公开(公告)日:2006-12-06
申请号:KR1020040089167
申请日:2004-11-04
Applicant: 한국전자통신연구원
CPC classification number: H04L63/04 , H04L63/061
Abstract: 본 발명에 의한 투명성을 보장하는 전송 계층에서의 보안 제공 방법 및 그 장치는, 어플리케이션 프로그램으로부터 데이터 패킷을 수신한 후 상기 데이터 패킷에 해당하는 키 정보를 검색하는 단계; 상기 검색이 실패하면, 어플리케이션 계층에 상주하는 키 교환 모듈에 새로운 키를 협상할 것을 요청하고 대기하는 단계; 및 상기 키 교환 모듈이 새롭게 협상된 키 정보를 커널에 저장하면, 이를 기반으로 암호 및 복호를 수행하는 단계;를 포함하는 것을 특징으로 하며 커널 내의 전송 계층에서 데이터 패킷에 대한 암호/복호를 수행함으로써 어플리케이션 프로그램에 보안 투명성을 제공하고, 용이한 확장성과 효율적으로 제어할 수 있는 구조를 제공한다.
전송 계층 보안, 전송계층보안(Transport Layer Security), 커널(kernel), Secure Socket Layer(SSL), 투명성(Transparency)-
公开(公告)号:KR1020130049336A
公开(公告)日:2013-05-14
申请号:KR1020110114286
申请日:2011-11-04
Applicant: 한국전자통신연구원
CPC classification number: H04L63/1491
Abstract: PURPOSE: A method for tracking attack sources and attack distribution places and a system thereof are provided to manage a path and configuration for an attack scenario by tracking an abnormal file uploader in real-time. CONSTITUTION: An agent(500) receives an information confirmation message of an abnormal file corresponding to the information transmission of an abnormal file(S117). The agent selects a place corresponding to the information of the abnormal file as an attack distribution place(S119). The agent transmits an abnormal file uploader information request message. The agent receives the abnormal file uploader information corresponding to the request message(S121). When the received abnormal file uploader information corresponds to the stored uploader information, the agent sets an attack source using the abnormal file uploader information(S123). [Reference numerals] (100) Attack computer; (200) User computer; (300) Network security server; (400) Site file management server; (500) Agent; (S101) Upload an abnormal file; (S103) Analyze action and extract uploader information; (S105) Transmit the uploader information; (S107) Store the uploader information; (S109) Download abnormal file; (S111) Store downloaded user information with the uploader information; (S113) Transmit attack information when detecting cyber attack; (S115) Transmit transmission network address; (S117) Transmit confirmation message of the transmission network address; (S119) Define an attack distribution place; (S121) Receive the uploader information; (S123) Define an attack source
Abstract translation: 目的:提供跟踪攻击源和攻击分发场所的方法及其系统,以便通过实时跟踪异常文件上传器来管理攻击场景的路径和配置。 构成:代理(500)接收与异常文件的信息发送对应的异常文件的信息确认消息(S117)。 代理选择与异常文件的信息相对应的地点作为攻击分发地点(S119)。 代理发送异常文件上传器信息请求消息。 代理接收与请求消息对应的异常文件上传器信息(S121)。 当接收到的异常文件上传器信息对应于存储的上传者信息时,代理使用异常文件上传器信息设置攻击源(S123)。 (附图标记)(100)攻击计算机; (200)用户电脑; (300)网络安全服务器; (400)站点文件管理服务器; (500)代理; (S101)上传异常文件; (S103)分析操作并提取上传者信息; (S105)发送上传者信息; (S107)存储上传者信息; (S109)下载异常文件; (S111)使用上传者信息存储下载的用户信息; (S113)检测网络攻击时发送攻击信息; (S115)发送传输网络地址; (S117)传输网络地址的发送确认消息; (S119)定义攻击分配地点; (S121)接收上传者信息; (S123)定义攻击源
-
Patent Agency Ranking
公开(公告)号:KR101775514B1
公开(公告)日:2017-09-06
申请号:KR1020110117300
申请日:2011-11-11
Applicant: 한국전자통신연구원
Abstract: 기존의트래픽볼륨기반의탐지방식, 또는시그널링기반탐지방식으로는정상트래픽과공격트래픽을구분하기어려울뿐만아니라, 트래픽의볼륨만으로이동통신네트워크의 RAN(Radio Access Network) 상태를측정하기어려우며, 공격발생시그 대응또한매우어렵다. 이에본 발명의실시예에서는, 이동통신네트워크에서기존의트래픽볼륨기반이상/공격탐지기술과시그널링기반탐지기술로탐지할수 없는 RAN에대한네트워크공격(예를들어, DoS, DDoS 등)을정확하게탐지하고대응하여안정적인이통통신네트워크서비스를제공할수 있는네트워크공격탐지및 대응기술을제공하고자한다.
Abstract translation: 基于该检测方法,或信令基于检测方法euroneun不仅难以区分正常流量现有的交通量,攻击流量时,难以仅通过交通量来测量所述移动通信网络状态的RAN(无线电接入网络),攻击发生时, 答复也很困难。 在本发明中,在RAN中的网络攻击不能与基于体积的传统交通更高/攻击检测技术来检测和在移动通信网络中的信令基于检测技术(例如,DOS,DDoS攻击等)的实施例中,准确地检测 相应地提供了网络攻击检测和响应技术,可以提供稳定的伊通通信网络服务。
-
公开(公告)号:KR101575282B1
公开(公告)日:2015-12-09
申请号:KR1020110124760
申请日:2011-11-28
Applicant: 한국전자통신연구원
IPC: G06F21/00
CPC classification number: H04L63/0407 , G06F21/6245 , G06F21/6254 , G06F21/6263 , H04L63/1441
Abstract: 본발명은보안관리도메인들간에익명식별자기반의보안정보를공유하기위한에이전트장치및 방법에관한것이고, 보다상세하게는보안정보공유를원하는보안관리도메인들이신뢰할수 있는도메인에존재하는보안분석대행에이전트장치를통해개인정보를추출할수 없는해쉬식별자를사용하여보안정보를공유하게함으로써, 공유되는보안정보에포함된개인정보를효과적으로보호할수 있도록하는보안관리도메인들간에익명식별자기반의보안정보를공유하기위한에이전트장치및 방법에관한것이다.
-
-
公开(公告)号:KR1020140006408A
公开(公告)日:2014-01-16
申请号:KR1020120073225
申请日:2012-07-05
Applicant: 한국전자통신연구원
IPC: H04L12/26
CPC classification number: H04L43/062 , H04L41/145 , H04L43/08 , H04L63/1425
Abstract: Disclosed are an apparatus for quantifying the abnormality of an abnormal host and a method thereof. The apparatus for quantifying abnormality according to the present invention comprises: an analysis component extractor for extracting analysis components in a DNS traffic; a node classifier for modeling the analysis components according to a classification rule and classifying terminal nodes within a network based on the modeling result; a basic probability extractor for checking a relative distribution corresponding to the terminal node classification result and extracting a basic probability value based on the check result; a counter for classifying malicious zombie nodes by using the basic probability value, extracting domain information among traffics from the malicious zombie nodes to a DNS server, and counting the number of domain occurrences based on the extracted domain information; and a quantifying part for extracting a quantified value of the malicious domains based on the number of domain occurrences and quantifying the abnormal value of the abnormal host based on the quantified value. [Reference numerals] (110) Analysis component extractor; (120) Node classifier; (130) Basic probability extractor; (140) Counter; (150) Quantifying part
Abstract translation: 公开了一种用于量化异常主机的异常的装置及其方法。 根据本发明的用于量化异常的装置包括:用于提取DNS业务中的分析组件的分析部件提取器; 一种用于根据分类规则建模分析组件并基于建模结果对网络内的终端节点进行分类的节点分类器; 基本概率提取器,用于检查对应于终端节点分类结果的相对分布,并且基于检查结果提取基本概率值; 通过使用基本概率值对恶意僵尸节点进行分类的计数器,从恶意僵尸节点到DNS服务器的流量中提取域信息,并根据提取的域信息对域数发生次数进行计数; 以及量化部,其基于域发生次数提取恶意域的量化值,并根据量化值量化异常主机的异常值。 (附图标记)(110)分析部件提取器; (120)节点分类器; (130)基本概率提取器; (140)柜台; (150)量化部分
-
公开(公告)号:KR1020130052077A
公开(公告)日:2013-05-22
申请号:KR1020110117300
申请日:2011-11-11
Applicant: 한국전자통신연구원
CPC classification number: H04L63/1416 , H04L63/1458 , H04L63/20
Abstract: PURPOSE: A network attack detecting and responding device and a method thereof are provided to accurately detect a network attack for a RAN(Radio Access Network) which is not able to be detected with a signal based detecting method. CONSTITUTION: A resource usage amount gathering unit(100) collects resource usage information provided through a network. A resource usage amount analysis unit(102) analyzes and classifies attributions and resources collected through the usage amount collecting unit. An attack detecting unit(104) detects a traffic attack by comparing a profile in each port and resource usage information analyzed through the resource usage analysis unit. An attack responding unit(106) generates a security policy for user information detected from the attack detecting unit. The attack response unit transmits the generated security policy to each security device. [Reference numerals] (1) Network; (100) Resource usage amount gathering unit; (102) Resource usage amount analysis unit; (104) Attack detecting unit; (106) Attack responding unit
Abstract translation: 目的:提供一种网络攻击检测和响应设备及其方法,以准确检测无法使用基于信号的检测方法检测的RAN(无线接入网络)的网络攻击。 构成:资源使用量收集单元(100)收集通过网络提供的资源使用信息。 资源使用量分析单元(102)分析并分类通过使用量收集单元收集的属性和资源。 攻击检测单元(104)通过比较每个端口中的简档和通过资源使用分析单元分析的资源使用信息来检测流量攻击。 攻击响应单元(106)生成从攻击检测单元检测到的用户信息的安全策略。 攻击响应单元将生成的安全策略传送到每个安全设备。 (附图标记)(1)网络; (100)资源使用量收集单位; (102)资源使用量分析单位; (104)攻击检测单元; (106)攻击响应单元
-
-
-
-
-
-
-
-
-
Search Results
16
records
(took 0.021 seconds)
