公开(公告)号：KR1020130027941A

公开(公告)日：2013-03-18

申请号：KR1020110091479

申请日：2011-09-08

Applicant: 한국전자통신연구원

Inventor： 정일안 ,  허영준

IPC: H04L12/22 ,  H04L12/26 ,  H04L12/24 ,  H04L29/06

CPC classification number: H04L63/205 ,  H04L61/2503

Abstract: PURPOSE: A cyber security event information management device and a method thereof are provided to guarantee anonymity by converting internet protocol address information into virtual information. CONSTITUTION: A security event generation system(100) of one or more clients outputs security event information generated by a security solution by using a client converter. A security event collecting and integrated management unit(200) of a server collects the security event information generated from the security event generation system by using a server converter. The security event collecting and integrated management unit of the server outputs new type security event information by converting the collected security event information. [Reference numerals] (100) Security event generation system 1; (110,BB,DD) Client converter; (200) Security event collecting and integrating management unit; (210) Server converter; (AA) Security event generation system 2; (CC) Security event generation system N; (EE) Internet

Abstract translation: 目的：提供网络安全事件信息管理装置及其方法，通过将互联网协议地址信息转换为虚拟信息来保证匿名性。 构成：一个或多个客户端的安全事件生成系统（100）通过使用客户端转换器输出由安全解决方案生成的安全事件信息。 服务器的安全事件收集和集成管理单元（200）通过使用服务器转换器收集从安全事件生成系统生成的安全事件信息。 服务器的安全事件收集和集成管理单元通过转换所收集的安全事件信息来输出新的安全事件信息。 （附图标记）（100）安全事件生成系统1; （110，BB，DD）客户端转换器; （200）安全事件收集整合管理单位; （210）服务器转换器; （AA）安全事件生成系统2; （CC）安全事件生成系统N; （EE）互联网

公开(公告)号：KR1020120069361A

公开(公告)日：2012-06-28

申请号：KR1020100130874

申请日：2010-12-20

Applicant: 한국전자통신연구원

Inventor： 정일안

IPC: H04L12/22 ,  G06F21/55

CPC classification number: G06F21/554 ,  H04L63/1458

Abstract: PURPOSE: A method and a system for managing network attacks and a device for providing network services for managing the network attacks are provided to support a service user to search and use adequate services. CONSTITUTION: A client terminal(100) searches detecting/responding information to network attacks and shares network attack information based on a service registry. A network service providing device(300) collects, analyzes, and manages the detecting/responding information and registers the detecting/responding information to the service registry. An authentication service providing device(400) transmits the authentication result of the client terminal to the service registry according to the service searching request of the client terminal or the authenticating request of the network service providing device.

Abstract translation: 目的：提供一种用于管理网络攻击的方法和系统，以及用于提供用于管理网络攻击的网络服务的设备，以支持服务用户搜索和使用足够的服务。 规定：客户终端（100）根据网络攻击搜索检测/响应信息，并根据服务注册表共享网络攻击信息。 网络服务提供设备（300）收集，分析和管理检测/响应信息，并将检测/响应信息注册到服务注册表。 验证服务提供设备（400）根据客户终端的服务搜索请求或网络服务提供设备的认证请求将客户终端的认证结果发送到服务注册表。

公开(公告)号：KR1020110028106A

公开(公告)日：2011-03-17

申请号：KR1020090086039

申请日：2009-09-11

Applicant: 한국전자통신연구원

Inventor： 허영준 ,  정일안 ,  오진태 ,  장종수

IPC: H04L12/22 ,  H04L12/851

CPC classification number: H04L63/1458 ,  H04L47/805 ,  H04L63/0236 ,  H04L63/1416

Abstract: PURPOSE: A division service attach traffic control device based on a connection history and a method thereof are provided to protect a network source and a server system source. CONSTITUTION: A network monitoring unit(202) detects whether DDoS(Distributed Denial of Service) attack occurs or not in advance. A harmful inspection unit(212) sets a priority per source address. A block unit(218) controls traffic by priority information if it is determined that a DDoS attack has occurred.

Abstract translation: 目的：提供一种基于连接历史的划分服务附加流量控制装置及其方法，以保护网络源和服务器系统源。 构成：网络监视单元（202）预先检测是否发生DDoS（分布式拒绝服务）攻击。 有害检查单元（212）根据源地址设置优先级。 如果确定已经发生DDoS攻击，则块单元（218）通过优先级信息来控制流量。

公开(公告)号：KR1020110057628A

公开(公告)日：2011-06-01

申请号：KR1020090114103

申请日：2009-11-24

Applicant: 한국전자통신연구원

Inventor： 정일안 ,  허영준 ,  오진태 ,  장종수 ,  나중찬 ,  조현숙

IPC: H04L12/22 ,  H04L12/26 ,  G06F21/55

CPC classification number: H04L63/1408

Abstract: PURPOSE: A correlation analysis apparatus and method thereof based on malicious file informaiton on network are provided to recognize a malicious code path and scenario based on file informaiton that is collected on network. CONSTITUTION: A scenario definition table(104) is composed on the malicious code propagation path of one or more scenarios. A correlation definition table(106) is composed of a correlation condition based on traffic characteristic. A post decision process unit produces the malicious probability value about each concern file through comparison between the traffic information table and the scenario definition table.

Abstract translation: 目的：提供一种基于网络恶意档案信息的相关分析设备及方法，以识别网络上收集的文件信息的恶意代码路径和场景。 构成：场景定义表（104）由一个或多个场景的恶意代码传播路径组成。 相关定义表（106）由基于业务特性的相关条件组成。 后期决策处理单元通过流量信息表和场景定义表之间的比较，产生关于每个关注文件的恶意概率值。

公开(公告)号：KR1020090040655A

公开(公告)日：2009-04-27

申请号：KR1020070106113

申请日：2007-10-22

Applicant: 한국전자통신연구원

Inventor： 정일안 ,  김익균 ,  오진태 ,  장종수

IPC: H04L12/26 ,  H04L9/00

CPC classification number: H04L63/20 ,  H04L63/062 ,  H04L63/1441

Abstract: A system and a method for managing and distributing an enterprise signature for network attacks are provided to manage each complicated security management system consistently based on a signature generated from a security system which generates signatures. A signature collector(100) classifies signatures generated from the each security system, which generates signatures, according to the information including each signature. In addition, the signature collector collects the signatures in analyzable internal structure form. In order to increase reliability, a signature analyzer analyzes the collected signatures. A signature distributing unit(400) distributes the analyzed signature to a security management system on other networks through a signature distribution protocol(600).

Abstract translation: 提供了用于管理和分发用于网络攻击的企业签名的系统和方法，以基于从生成签名的安全系统生成的签名来一致地管理每个复杂的安全管理系统。 签名收集器（100）根据包括每个签名的信息来分类从每个安全系统生成的签名，其生成签名。 此外，签名收集器以可分析的内部结构形式收集签名。 为了提高可靠性，签名分析器分析收集的签名。 签名分发单元（400）通过签名分发协议（600）将分析的签名分发到其他网络上的安全管理系统。

公开(公告)号：KR100809422B1

公开(公告)日：2008-03-05

申请号：KR1020060096454

申请日：2006-09-29

Applicant: 한국전자통신연구원

Inventor： 정일안 ,  남택용 ,  오진태 ,  장종수

IPC: H04L12/22 ,  G06F15/16 ,  H04L12/26

Abstract: An apparatus and a method for preventing intrusion based on alert severity of signature detection and abnormal traffic are provided to calculate exact reliability of the alert severity of an abnormal traffic detecting sensor by using attack alerts collected form different kinds of detecting sensors, thereby properly dealing with the intrusion with respect to the abnormal traffic. A preprocessor(120) classifies attack alerts each having reliability and alarm severity, collected from different plural attack pattern detecting sensors(101) and an abnormal traffic detecting sensor(105), according to generation time and calculates a reference value showing consistency of attack alerts having the same generation time. A reliability calculator(130) calculates reliability of alarm severity of attack alerts generated by the abnormal traffic detecting sensor based on at least one of the reference value and alert severity of the attack alerts generated at the same time. A reliability calculator(130) calculates the reliability of alarm risk for an attack alarm, which is generated by the abnormal traffic detecting sensor, based on at least one of either the reference value calculated by the preprocessor or the alarm risk for attack alarms which occur at the same time.

Abstract translation: 提供一种基于签名检测和异常流量的警报严重性来防止入侵的装置和方法，以通过使用从不同种类的检测传感器收集的攻击警报来计算异常交通检测传感器的警报严重性的准确可靠性，从而适当地处理 关于异常流量的入侵。 预处理器（120）根据生成时间分类从不同的多个攻击模式检测传感器（101）和异常交通检测传感器（105）收集的具有可靠性和报警严重性的攻击警报，并计算出显示攻击警报一致性的参考值 具有相同的发电时间。 可靠性计算器（130）基于同时生成的攻击警报的参考值和警报严重性中的至少一个来计算由异常交通检测传感器产生的攻击警报的警报严重性的可靠性。 可靠性计算器（130）基于由预处理器计算的参考值或发生的攻击报警的报警风险中的至少一个，计算异常交通检测传感器产生的攻击警报的警报风险的可靠性 与此同时。

公开(公告)号：KR100628329B1

公开(公告)日：2006-09-27

申请号：KR1020050069968

申请日：2005-07-30

Applicant: 한국전자통신연구원

Inventor： 정일안 ,  오진태 ,  장종수

IPC: H04L9/00

Abstract: 본 발명은 네트워크 세션 특성 정보에 대한 공격행위 탐지규칙 자동생성 및 자동갱신 방법 및 장치에 관한 것으로, 세션 특성 정보별로 분류된 네트워크 데이터를 세션 특성 정보 및 정상 유형, 공격 유형 및 미지 유형 중 네트워크 데이터가 속하는 네트워크 데이터 유형의 특성을 포함하는 입력 데이터 형식으로 변환하는 네트워크 세션 특성정보 추출부 및 입력 데이터 형식으로 변환된 네트워크 데이터에 확장 C4.5 알고리즘을 적용하여 결정트리를 구성하고, 결정트리의 최종노드에서 오류율을 기초로 결정트리의 정확도를 생성하며, 네트워크 데이터 유형의 특성, 결정트리의 최적의 정보이득을 갖는 노드를 선택하기 위한 조건식 및 정확도를 기초로 네트워크 데이터 유형별로 패턴화된 탐지규칙을 생성하는 탐지규칙 자동 생성부를 포함하여 탐지규칙을 자동으로 생성하고 갱신한다.
네트워크 세션 특성 정보, 탐지규칙, 결정트리, 자동생성, 자동갱신

Abstract translation: 自动生成并自动更新网络会话特征信息的攻击检测规则的方法和装置技术领域本发明涉及网络会话特征信息的攻击检测规则的自动生成和自动更新方法和装置 属于通过将膨胀C4.5算法到网络配置决策树的网络数据类型，网络会话数据转换特性信息提取单元和转换包括所述特征的输入数据类型的输入数据形式，且所述决策树的最终节点 在决策树的误差率生成精度，以及网络的特性，数据类型，并生成在网络数据类型的条件的基础上，最佳的信息图案和用于与决策树的增益选择节点化学检测规则精度的基础上 检测规则自动生成单元 自动生成和更新的原则。

公开(公告)号：KR100933986B1

公开(公告)日：2009-12-28

申请号：KR1020070106113

申请日：2007-10-22

Applicant: 한국전자통신연구원

Inventor： 정일안 ,  김익균 ,  오진태 ,  장종수

IPC: H04L12/26 ,  H04L9/00

Abstract: 본 발명은 네트워크 공격의 통합 시그니처 관리 및 분배 시스템 및 방법에 관한 것으로 본 발명에 따른 네트워크 공격의 통합 시그니처 관리 및 분배 시스템은 분산 네트워크 환경 하에서 다수의 시그니처 생성 보안 시스템들에 의해 생성되는 시그니처를 통합 관리하는 네트워크 공격의 통합 시그니처 관리 및 분배 시스템으로서, 상기 각각의 시그니처 생성 보안 시스템으로부터 생성되는 시그니처를 각각의 시그니처가 포함하는 정보에 따라 분류하여 분석 가능한 내부구조체 형태로 수집하는 시그니처 수집기; 상기 수집된 시그니처를 신뢰성이 향상되도록 분석하는 시그니처 분석기; 및 상기 분석된 시그니처를 시그니처 분배 프로토콜을 통하여 다른 네트워크 상의 보안 관리 시스템으로 분배하는 시그니처 분배기; 를 포함하는 것을 특징으로 한다.
시그니처, 정규화, 통합, 분배, 관리, 보안

Abstract translation: 提供了一种用于管理和分发用于网络攻击的企业签名的系统和方法，以基于从生成签名的安全系统生成的签名来一致地管理每个复杂的安全管理系统。 根据包括每个签名的信息，签名收集器（100）将从每个安全系统产生的签名分类，其产生签名。 另外，签名收集器以可分析的内部结构形式收集签名。 为了提高可靠性，签名分析器分析收集的签名。 签名分发单元（400）通过签名分发协议（600）将分析的签名分发到其他网络上的安全管理系统。

公开(公告)号：KR100819049B1

公开(公告)日：2008-04-02

申请号：KR1020060123413

申请日：2006-12-06

Applicant: 한국전자통신연구원

Inventor： 남택용 ,  장종수 ,  정일안 ,  허영준 ,  오승희

IPC: H04L12/22 ,  H04L12/12

CPC classification number: H04L63/1416 ,  H04L43/045

Abstract: An apparatus for analyzing and coping with an intrusion situation and a method for expressing attack detection alarms as an N-dimensional correlation graph are provided to enable a manager to intuitively recognize and cope with an intrusion situation by expressing an attack situation, its stages, and correlated attacks as a two or three-dimensional graph. An apparatus for analyzing and coping with an intrusion situation comprises the first analysis part(107) and the second analysis part(109). The first analysis part collects attack detection alarms from network alarm devices, classifies them, and expresses results as a three-dimensional graph. The second analysis part receives the results, executes vector conversion to project the three-dimensional graph onto a two-dimensional graph, and analyzes the correlations of attacks. The first analysis part comprises an attack detection alarm collection part, a classification part, and an N-dimensional express analysis part. The attack detection alarm collection part collects attack detection alarms. The classification part classifies the collected attack detection alarms according to attack stages and attack situations. The N-dimensional express analysis part outputs each classified attack stage as a three-dimensional graph.

Abstract translation: 提供一种用于分析和应对入侵情况的装置以及用于将攻击检测报警表示为N维关联图的方法，以使管理者能够直观地识别和处理入侵情况，通过表达攻击情况，其阶段和 相关攻击为二维或三维图。 用于分析和处理入侵情况的装置包括第一分析部分（107）和第二分析部分（109）。 第一个分析部分从网络报警装置收集攻击检测报警，对其进行分类，并将结果表示为三维图。 第二分析部分接收结果，执行向量转换，将三维图投影到二维图上，并分析攻击的相关性。 第一分析部分包括攻击检测报警收集部分，分类部分和N维表达分析部分。 攻击检测报警采集部分收集攻击检测报警。 分类部分根据攻击阶段和攻击情况对收集的攻击检测报警进行分类。 N维表达分析部分将每个分类的攻击阶段输出为三维图。