公开(公告)号：US07779467B2

公开(公告)日：2010-08-17

申请号：US11542320

申请日：2006-10-02

申请人： Daesik Choi ,  Woonyon Kim ,  Dongsu Kim ,  Cheolwon Lee ,  Eungki Park

发明人： Daesik Choi ,  Woonyon Kim ,  Dongsu Kim ,  Cheolwon Lee ,  Eungki Park

IPC分类号： G06F11/34 ,  G08B23/00 ,  G06F12/14

CPC分类号： H04L63/145

摘要： Provided are N grouping of traffic and pattern-free Internet worm response system and method. According to the method, traffic factors generated by respective worms are grouped into N groups so that a great quantity of Information may be effectively understood and a worm generated afterward is involved with characteristics of a relevant group. Damages of a network or a system predictable through already classified N traffic characteristics are defined so that corresponding step-by-step measures are taken. Characteristics of the grouped worms are quantitatively analyzed so that a danger degree of a new worm is predicted when the new worm appears afterward and forecasting and alarming through the prediction are performed. Easiness with which a controlling operator instantly understands an accident using a visualization method having an approximate real-time characteristic is increased, so that detection efficiency for most worms not detected using a conventional rule is increased.

摘要翻译： 提供了N组流量和无模式的互联网蠕虫响应系统和方法。 根据该方法，由各蠕虫产生的交通因素分组为N组，从而可以有效地理解大量信息，并且随后产生的蠕虫涉及相关组的特征。 定义了通过已经分类的N个流量特征可预测的网络或系统的损害，以便采取相应的逐步措施。 分类蠕虫的特征进行定量分析，以便在新蠕虫出现之后预测出新的蠕虫的危险程度，并通过预测进行预报和报警。 控制操作员使用具有近似实时特性的可视化方法即时了解事故的容易度增加，从而增加了使用常规规则未检测到的大多数蠕虫的检测效率。

公开(公告)号：US20070234425A1

公开(公告)日：2007-10-04

申请号：US11453497

申请日：2006-06-15

申请人： Woonyon Kim ,  Eun Young Lee ,  Sang Hoon Lee ,  Dong Su Nam ,  Joo Beom Yun ,  Jong Moon Lee ,  Miri Joo ,  Dohoon Lee ,  Eungki Park

发明人： Woonyon Kim ,  Eun Young Lee ,  Sang Hoon Lee ,  Dong Su Nam ,  Joo Beom Yun ,  Jong Moon Lee ,  Miri Joo ,  Dohoon Lee ,  Eungki Park

IPC分类号： G06F12/14

CPC分类号： G06F21/552

摘要： A multistep integrated security management system and method using an intrusion detection log collection engine and a traffic statistic generation engine is disclosed. An intrusion detection log collection engine capable of collecting logs generated from diverse intrusion detection engines and a traffic statistic generation engine collect and transmit analyzed data to a control intermediate management server. The control intermediate management server performs more accurate intrusion detection by relationally analyzing the intrusion detection log information and the traffic statistic information. A control uppermost management server performs an integrated security management on a large-scale group subject to control by performing an integrated analysis on a large-scale group subject to control, and thus can support the large-scale integrated security management efficiently.

摘要翻译： 公开了一种使用入侵检测日志收集引擎和流量统计生成引擎的多步骤集成安全管理系统和方法。 一种入侵检测日志收集引擎，能够收集从不同入侵检测引擎生成的日志，流量统计生成引擎收集并将分析的数据传输到控制中间管理服务器。 控制中间管理服务器通过对入侵检测日志信息和流量统计信息进行关联分析，执行更准确的入侵检测。 控制最上层的管理服务器通过对受控制的大型组进行综合分析，对能够进行控制的大型组进行集成的安全管理，从而可以有效地支持大规模集成安全管理。

公开(公告)号：US20070226803A1

公开(公告)日：2007-09-27

申请号：US11453448

申请日：2006-06-15

申请人： Woonyon Kim ,  Dongsoo Kim ,  Daesik Choi ,  Eungki Park

发明人： Woonyon Kim ,  Dongsoo Kim ,  Daesik Choi ,  Eungki Park

IPC分类号： G06F12/14 ,  H04L9/32 ,  G06F11/00 ,  G06F11/30 ,  G06F12/16 ,  G06F15/18 ,  G08B23/00

CPC分类号： H04L63/145 ,  G06F21/552 ,  G06F21/564 ,  H04L63/0227

摘要： A system and method for detecting Internet worm traffics through classification of traffic characteristics by types is disclosed. The system and method defines Internet worm as a characteristic profile classified into diverse traffic characteristics, detects Internet worm traffics by comparing the similarity of a collected traffic with that of a defined traffic, classifies the type of the Internet worm, and performs severity judgment and alarming. The detection efficiency of most worms, which cannot be detected based on the existing rule, can be increased. Also, the risk grade of the corresponding worm traffic can be quantitatively provided by judging the severity according to the similarity scores and the predefined severity grade. Accordingly, the survival of the entire communication network can be heightened through the countermeasure and the forecast/alarm in steps, and mass information can be effectively seized.

摘要翻译： 公开了一种通过按类型对流量特征进行分类来检测互联网蠕虫流量的系统和方法。 系统和方法将Internet蠕虫定义为分类为不同流量特征的特征，通过比较收集的流量与定义流量的相似性来检测Internet蠕虫流量，对Internet蠕虫的类型进行分类，并进行严重性判断和报警 。 可以增加大多数蠕虫的检测效率，而这些蠕虫根据现有规则无法检测。 另外，通过根据相似度得分和预定义的严重等级判断严重程度，可以定量提供相应的蠕虫流量的风险等级。 因此，整个通信网络的生存可以通过对策和预测/报警步骤来加强，大众信息可以得到有效的抓取。

公开(公告)号：US08171521B2

公开(公告)日：2012-05-01

申请号：US12039858

申请日：2008-02-29

申请人： Young Han Choi ,  Hyoung Chun Kim ,  Tae Ghyoon Kim ,  Do Hoon Lee ,  Eungki Park

发明人： Young Han Choi ,  Hyoung Chun Kim ,  Tae Ghyoon Kim ,  Do Hoon Lee ,  Eungki Park

IPC分类号： G06F17/00

CPC分类号： H04L41/0893

摘要： A system and method for managing a network by value-based estimation is provided. A network device requesting communication is defined as an active point and a network device receiving a request for communication is defined as a passive point. A value of a network device is determined according to the number of active points connected to the corresponding network device, and a value of a network device that is in a path of communication between network devices is determined based on a value of a network device passing through the corresponding network device. When a policy for changing a network environment is transferred in a state where the values of the network devices have been estimated, a policy conflict test is performed on the basis of the estimated values of the network devices, thereby determining application of the policy in due consideration of the values and significance of the network devices.

摘要翻译： 提供了一种通过基于价值的估计来管理网络的系统和方法。 请求通信的网络设备被定义为活动点，并且接收通信请求的网络设备被定义为被动点。 根据连接到相应网络设备的活动点的数量来确定网络设备的值，并且基于网络设备通过的值来确定处于网络设备之间的通信路径中的网络设备的值 通过相应的网络设备。 当在网络设备的值已被估计的状态下转移网络环境的策略时，基于网络设备的估计值执行策略冲突测试，从而确定策略的应用 考虑网络设备的价值和意义。

公开(公告)号：US20070300061A1

公开(公告)日：2007-12-27

申请号：US11527018

申请日：2006-09-26

申请人： Eun Young Kim ,  Youngtae Yun ,  Eungki Park

发明人： Eun Young Kim ,  Youngtae Yun ,  Eungki Park

IPC分类号： H04L9/00

CPC分类号： G06F21/566 ,  G06F21/56

摘要： A system and method for detecting a hidden process using system event information are provided. The system includes: a kernel layer monitoring module for extracting system event information by monitoring a kernel layer system; a kernel layer process list detecting module for detecting processes related to an event from the extracted system event information; an application layer process list detecting module for detecting a process list provided to a user from an application layer; and a hidden process detecting module for detecting a process that is present only in the kernel layer as a hidden process by comparing the processes detected from the kernel layer process list detecting module and the processes detected from the application layer process list detecting module.

摘要翻译： 提供了一种使用系统事件信息检测隐藏过程的系统和方法。 该系统包括：内核层监控模块，用于通过监控内核层系统提取系统事件信息; 内核层处理列表检测模块，用于从所提取的系统事件信息中检测与事件有关的进程; 应用层处理列表检测模块，用于从应用层检测提供给用户的进程列表; 以及隐藏处理检测模块，用于通过比较从内核层处理列表检测模块检测的处理和从应用层处理列表检测模块检测到的处理，来检测仅存在于内核层中的进程作为隐藏处理。

公开(公告)号：US20080313701A1

公开(公告)日：2008-12-18

申请号：US12039858

申请日：2008-02-29

申请人： Young Han CHOI ,  Hyoung Chun KIM ,  Tae Ghyoon KIM ,  Do Hoon LEE ,  Eungki PARK

发明人： Young Han CHOI ,  Hyoung Chun KIM ,  Tae Ghyoon KIM ,  Do Hoon LEE ,  Eungki PARK

IPC分类号： G06F15/173 ,  G06F21/00

CPC分类号： H04L41/0893

摘要： A system and method for managing a network by value-based estimation is provided. A network device requesting communication is defined as an active point and a network device receiving a request for communication is defined as a passive point. A value of a network device is determined according to the number of active points connected to the corresponding network device, and a value of a network device that is in a path of communication between network devices is determined based on a value of a network device passing through the corresponding network device. When a policy for changing a network environment is transferred in a state where the values of the network devices have been estimated, a policy conflict test is performed on the basis of the estimated values of the network devices, thereby determining application of the policy in due consideration of the values and significance of the network devices.

摘要翻译： 提供了一种通过基于价值的估计来管理网络的系统和方法。 请求通信的网络设备被定义为活动点，并且接收通信请求的网络设备被定义为被动点。 根据连接到相应网络设备的活动点的数量来确定网络设备的值，并且基于网络设备通过的值来确定处于网络设备之间的通信路径中的网络设备的值 通过相应的网络设备。 当在网络设备的值已被估计的状态下转移网络环境的策略时，基于网络设备的估计值执行策略冲突测试，从而确定策略的应用 考虑网络设备的价值和意义。

公开(公告)号：US20080127324A1

公开(公告)日：2008-05-29

申请号：US11860625

申请日：2007-09-25

申请人： Jung-Taek Seo ,  Kiwook Sohn ,  Eungki Park

发明人： Jung-Taek Seo ,  Kiwook Sohn ,  Eungki Park

IPC分类号： G06F21/00

CPC分类号： H04L63/1458 ,  H04L2463/141 ,  H04L2463/146

摘要： Provided is a method for responding a distributed denial of service (DDoS) attack using deterministic pushback scheme. In the method, all of packets outbound from an edge router of a predetermined network system to the other network system are marked with own IP address in order to enable a victim system to confirm an IP address of an attack source edge router for DDoS attack packets. Then, IP address information of an attack source edge router is obtained by reassembling an IP address of detected DDoS attack packets at a victim system that detects DDoS attack. A deterministic pushback message is received at an attack source edge router if a victim system transmits a deterministic pushback message to the attack source edge router, information of the attack source edge router is confirmed, and corresponding attack packets are filtered.

摘要翻译： 提供了一种使用确定性推回方案来应对分布式拒绝服务（DDoS）攻击的方法。 在该方法中，从预定网络系统的边缘路由器向另一个网络系统出站的所有分组都标有自己的IP地址，以便受害系统能够确认攻击源边缘路由器的IP地址用于DDoS攻击包 。 然后，通过在检测到DDoS攻击的受害者系统上重新组建检测到的DDoS攻击报文的IP地址，获得攻击源边缘路由器的IP地址信息。 如果受害者系统向攻击源边缘路由器发送确定性推回消息，则确认攻击源边缘路由器的信息，并对相应的攻击报文进行过滤，则在攻击源边缘路由器处接收到确定性推回消息。

公开(公告)号：US20070214224A1

公开(公告)日：2007-09-13

申请号：US11487871

申请日：2006-07-17

申请人： Dong Su Nam ,  Dohoon Lee ,  Eungki Park

发明人： Dong Su Nam ,  Dohoon Lee ,  Eungki Park

IPC分类号： G06F15/16

CPC分类号： G06Q10/107

摘要： A system and method for transmitting cyber threat information in real time, which is designed to minimize overload of a server in order to support large-scale clients, is disclosed. Important related information such as countermeasures against cyber threats or cyber attacks is transmitted in real time to a user through diverse methods including an SMS message, an email message, and a popup message, and thus the user can cope with such cyber threats effectively, actively, and promptly, so that the damage due to the cyber threats against important systems and services can be minimized.

摘要翻译： 公开了一种用于实时传输网络威胁信息的系统和方法，旨在最大限度地减少服务器的过载以支持大型客户端。 重要的相关信息，如针对网络威胁或网络攻击的对策通过多种方式实时传输给用户，包括SMS消息，电子邮件消息和弹出消息，从而用户可以有效地应对网络威胁 并及时，使得对重要系统和服务的网络威胁造成的损害可以最小化。

公开(公告)号：US20070150958A1

公开(公告)日：2007-06-28

申请号：US11542320

申请日：2006-10-02

申请人： Daesik Choi ,  Woonyon Kim ,  Dongsu Kim ,  Cheolwon Lee ,  Eungki Park

发明人： Daesik Choi ,  Woonyon Kim ,  Dongsu Kim ,  Cheolwon Lee ,  Eungki Park

IPC分类号： G06F11/00

CPC分类号： H04L63/145

摘要： Provided are N grouping of traffic and pattern-free Internet worm response system and method. According to the method, traffic factors generated by respective worms are grouped into N groups so that a great quantity of information may be effectively understood and a worn generated afterward is involved with characteristics of a relevant group. Damages of a network or a system predictable through already classified N traffic characteristics are defined so that corresponding step-by-step measures are taken. Characteristics of the grouped worms are quantitatively analyzed so that a danger degree of a new worm is predicted when the new worm appears afterward and a forecast and alarming through the prediction are performed. Easiness with which a controlling operator instantly understands an accident using a visualization method having an approximate real-time characteristic is increased, so that detection efficiency for most of worms not detected using a conventional rule is increased.

摘要翻译： 提供了N组流量和无模式的互联网蠕虫响应系统和方法。 根据该方法，将各蠕虫产生的交通因素分组为N组，从而可以有效地理解大量的信息，并且随后产生的磨损涉及相关组的特征。 定义了通过已经分类的N个流量特征可预测的网络或系统的损害，以便采取相应的逐步措施。 分组蠕虫的特征进行定量分析，以便在新蠕虫出现之后预测出新的蠕虫的危险程度，并通过预测进行预报和报警。 控制操作员使用具有近似实时特性的可视化方法即时了解事故的易感性增加，从而增加了使用常规规则未检测到的大多数蠕虫的检测效率。