公开(公告)号：KR1020140006408A

公开(公告)日：2014-01-16

申请号：KR1020120073225

申请日：2012-07-05

Applicant: 한국전자통신연구원

Inventor： 임선희 ,  김종현 ,  김기영 ,  이성원 ,  조재익 ,  서동일 ,  안개일 ,  서대희

IPC: H04L12/26

CPC classification number: H04L43/062 ,  H04L41/145 ,  H04L43/08 ,  H04L63/1425

Abstract: Disclosed are an apparatus for quantifying the abnormality of an abnormal host and a method thereof. The apparatus for quantifying abnormality according to the present invention comprises: an analysis component extractor for extracting analysis components in a DNS traffic; a node classifier for modeling the analysis components according to a classification rule and classifying terminal nodes within a network based on the modeling result; a basic probability extractor for checking a relative distribution corresponding to the terminal node classification result and extracting a basic probability value based on the check result; a counter for classifying malicious zombie nodes by using the basic probability value, extracting domain information among traffics from the malicious zombie nodes to a DNS server, and counting the number of domain occurrences based on the extracted domain information; and a quantifying part for extracting a quantified value of the malicious domains based on the number of domain occurrences and quantifying the abnormal value of the abnormal host based on the quantified value. [Reference numerals] (110) Analysis component extractor; (120) Node classifier; (130) Basic probability extractor; (140) Counter; (150) Quantifying part

Abstract translation: 公开了一种用于量化异常主机的异常的装置及其方法。 根据本发明的用于量化异常的装置包括：用于提取DNS业务中的分析组件的分析部件提取器; 一种用于根据分类规则建模分析组件并基于建模结果对网络内的终端节点进行分类的节点分类器; 基本概率提取器，用于检查对应于终端节点分类结果的相对分布，并且基于检查结果提取基本概率值; 通过使用基本概率值对恶意僵尸节点进行分类的计数器，从恶意僵尸节点到DNS服务器的流量中提取域信息，并根据提取的域信息对域数发生次数进行计数; 以及量化部，其基于域发生次数提取恶意域的量化值，并根据量化值量化异常主机的异常值。 （附图标记）（110）分析部件提取器; （120）节点分类器; （130）基本概率提取器; （140）柜台; （150）量化部分