公开(公告)号：US08230503B2

公开(公告)日：2012-07-24

申请号：US12503288

申请日：2009-08-17

申请人： Byoung Koo Kim ,  Seung Yong Yoon ,  Ik Kyun Kim ,  Jin Tae Oh ,  Jong Soo Jang ,  Hyun Sook Cho

发明人： Byoung Koo Kim ,  Seung Yong Yoon ,  Ik Kyun Kim ,  Jin Tae Oh ,  Jong Soo Jang ,  Hyun Sook Cho

IPC分类号： H04L29/06

CPC分类号： H04L63/145 ,  G06F21/564

摘要： A method and apparatus for extracting a windows executable file that can search for a pattern related to windows executable files among a large quantity of network packets using a hardware-based session tracking and pattern matching technology and that can extract all packets included in the corresponding session are provided. The method of extracting a windows executable file includes: collecting incoming packets having a payload according to a session of a reference packet having an MZ pattern; performing a portable executable (PE) pattern matching for the collected incoming packets; and forming a PE file based on at least one incoming packet satisfying the PE pattern matching.

摘要翻译： 一种用于提取Windows可执行文件的方法和装置，其可以使用基于硬件的会话跟踪和模式匹配技术在大量网络分组中搜索与Windows可执行文件相关的模式，并且可以提取包括在相应会话中的所有分组 被提供。 提取Windows可执行文件的方法包括：根据具有MZ模式的参考分组的会话收集具有有效载荷的传入分组; 对所收集的传入分组执行匹配的便携式可执行（PE）模式; 以及基于满足PE模式匹配的至少一个输入分组形成PE文件。

公开(公告)号：US07831822B2

公开(公告)日：2010-11-09

申请号：US11633174

申请日：2006-12-04

申请人： Seung Yong Yoon ,  Jin Tae Oh ,  Jong Soo Jang

发明人： Seung Yong Yoon ,  Jin Tae Oh ,  Jong Soo Jang

IPC分类号： H04L9/00 ,  H04L9/32 ,  G06F11/00

CPC分类号： H04L63/0227 ,  H04L63/0254 ,  H04L67/14

摘要： A real-time stateful packet inspection method and apparatus is provided, which uses a session table processing method that can efficiently generate state information. In the apparatus, a session table stores session data of a packet received from an external network. A hash key generator hashes a parameter extracted from the received packet and generates a hash pointer of the session table corresponding to the packet. A session detection module searches the session table for a session corresponding to the received packet. A session management module performs management of the session table such as addition, deletion, and change of sessions of the session table. A packet inspection module generates state information corresponding to the received packet from both directionality information of the packet and entry header information of the packet stored in the session table and then inspects the packet based on the generated state information.

摘要翻译： 提供了一种实时状态包检测方法和装置，其使用可以有效地生成状态信息的会话表处理方法。 在该装置中，会话表存储从外部网络接收到的分组的会话数据。 哈希密钥生成器从接收到的分组中提取参数，并生成与分组对应的会话表的哈希指针。 会话检测模块在会话表中搜索与接收到的分组相对应的会话。 会话管理模块执行会话表的管理，例如会话表的会话的添加，删除和更改。 分组检查模块从分组的方向性信息和存储在会话表中的分组的条目标题信息两者生成对应于接收到的分组的状态信息，然后基于生成的状态信息来检查分组。

公开(公告)号：US07818786B2

公开(公告)日：2010-10-19

申请号：US11298114

申请日：2005-12-08

申请人： Seung Yong Yoon ,  Jin Tae Oh ,  Jong Soo Jang

发明人： Seung Yong Yoon ,  Jin Tae Oh ,  Jong Soo Jang

IPC分类号： G06F7/04

CPC分类号： H04L63/0254 ,  H04L63/1458

摘要： An apparatus and method for managing a session state are provided. The apparatus for managing a session state during transmission control protocol (TCP) handshaking includes: a session index unit producing and managing an index including 5-tuple information of a session corresponding to an input packet; a detailed information manager generating and managing an entry by extracting state information of a session in which a predetermined time does not pass after the session has been completely established, to respond to an intrusion detection against the input packet when the index is produced; a brief information manager generating and managing an entry including state information, which includes states of session connection and disconnection and directionality of the input packet, of a session in which a predetermined time elapses after the session has been completely established; and a search unit searching an index of the session corresponding to the input packet in the session index unit, and, if an index does not exist, searching the brief information manager after the session has been completely established.

摘要翻译： 提供了一种用于管理会话状态的装置和方法。 用于在传输控制协议（TCP）握手期间管理会话状态的装置包括：会话索引单元，产生和管理包括对应于输入分组的会话的5元组信息的索引; 详细信息管理器，通过提取在会话完全建立之后预定时间不通过的会话的状态信息来生成和管理条目，以在产生索引时响应对输入分组的入侵检测; 生成和管理包括状态信息的条目的条目，该状态信息包括在会话已经完全建立之后经过预定时间的会话的会话连接和断开的状态以及输入分组的方向性; 以及搜索单元，在会话索引单元中搜索对应于输入分组的会话的索引，并且如果索引不存在，则在会话完全建立之后搜索简要信息管理器。

公开(公告)号：US20100153421A1

公开(公告)日：2010-06-17

申请号：US12434166

申请日：2009-05-01

申请人： Yang Seo CHOI ,  Ik Kyun KIM ,  Jin Tae OH ,  Jae Cheol RYOU

发明人： Yang Seo CHOI ,  Ik Kyun KIM ,  Jin Tae OH ,  Jae Cheol RYOU

IPC分类号： G06F7/20 ,  G06F17/30

CPC分类号： G06F16/258

摘要： The present invention discloses a device and method for detecting a packed PE (portable executable) file. In the device and method for detecting a packed PE file, information for detecting packing are extracted by analyzing the header of a target file, and a record containing characteristic values shown only in a packed PE file is created by using the extracted information. The packing of the target file is detected by calculating the similarity with a PE file which is not packed based on the created record and comparing it with a derived threshold value. Therefore, a packed PE file can be detected even if it is packed by a packing method which is not well-known.

摘要翻译： 本发明公开了一种用于检测打包PE（便携式可执行文件）文件的装置和方法。 在用于检测打包的PE文件的装置和方法中，通过分析目标文件的标题来提取用于检测打包的信息，并且通过使用所提取的信息来创建仅包含在打包的PE文件中的仅包含特征值的记录。 通过计算与基于创建的记录不打包的PE文件的相似度并将其与导出的阈值进行比较来检测目标文件的打包。 因此，即使打包的PE文件由不是众所周知的打包方法打包也可以被检测。

公开(公告)号：US07735137B2

公开(公告)日：2010-06-08

申请号：US11484257

申请日：2006-07-10

申请人： Kwang Ho Baik ,  Byoung Koo Kim ,  Jin Tae Oh ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Kwang Ho Baik ,  Byoung Koo Kim ,  Jin Tae Oh ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00

CPC分类号： H04L63/1416

摘要： A method and apparatus for storing an intrusion rule are provided. The method stores a new intrusion rule in an intrusion detection system having already stored intrusion rules, and includes: generating combinations of divisions capable of dividing the new intrusion rule into a plurality of partial intrusion rules; calculating the frequency of hash value collisions between each of the generated division combinations and the already stored intrusion rules; dividing the new intrusion rule according to the division combination which has the lowest calculated frequency of hash value collisions; and storing the divided new intrusion rule in a corresponding position of the intrusion detection system. According to the method and apparatus, the size of the storage unit occupied by the intrusion rule can be reduced, and by performing pattern matching, the performance of the intrusion detection system can be enhanced.

摘要翻译： 提供了一种用于存储入侵规则的方法和装置。 该方法在已经存储了入侵规则的入侵检测系统中存储新的入侵规则，并且包括：生成能够将新的入侵规则划分成多个部分入侵规则的分割组合; 计算每个生成的分割组合与已经存储的入侵规则之间的散列值冲突的频率; 根据哈希值碰撞计算频率最低的划分组合划分新的入侵规则; 并将分割的新入侵规则存储在入侵检测系统的相应位置。 根据该方法和装置，可以减少入侵规则占用的存储单元的大小，通过执行模式匹配，能够提高入侵检测系统的性能。

公开(公告)号：US07735128B2

公开(公告)日：2010-06-08

申请号：US11635245

申请日：2006-12-07

申请人： Byoung Koo Kim ,  Kwang Ho Baik ,  Jin Tae Oh ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Byoung Koo Kim ,  Kwang Ho Baik ,  Jin Tae Oh ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F9/00 ,  G06F7/04 ,  H04L9/00

CPC分类号： H04L12/5602

摘要： A method of storing a pattern matching policy and a method of controlling an alert message are provided. The method includes (a) generating a content structure as a sub-structure of a header combination structure of a stored traffic pattern which is a policy to be newly applied to a pattern matching apparatus; (b) determining whether a content of the stored traffic pattern is identical to a content of an original traffic pattern stored in advance in the pattern matching apparatus; (c) allocating a content index of the content of the original traffic pattern to the content of the stored traffic pattern if the content of the stored traffic pattern is identical to the content of the original traffic pattern; and (d) determining whether a header combination structure of the original traffic pattern comprises only one content structure or more than one content structure and allocating a header index of the header combination structure of the stored traffic pattern to the header combination structure of the original traffic pattern if the header combination structure of the original traffic pattern is found to comprise only one content structure. Accordingly, it is possible to efficiently use hardware memories with limited storage capacities and effectively perform a pattern matching function.

摘要翻译： 提供了一种存储模式匹配策略的方法和一种控制警报消息的方法。 该方法包括：（a）生成内容结构作为作为新应用于模式匹配装置的策略的存储的流量模式的头部组合结构的子结构; （b）确定存储的业务模式的内容是否与预先存储在模式匹配装置中的原始业务模式的内容相同; （c）如果存储的业务模式的内容与原始业务模式的内容相同，则将原始业务模式的内容的内容索引分配给所存储的业务模式的内容; 和（d）确定原始业务模式的报头组合结构是否仅包含一个内容结构或多于一个内容结构，并且将所存储的业务模式的报头组合结构的报头索引分配给原始业务的报头组合结构 如果发现原始流量模式的头组合结构仅包含一个内容结构，则模式。 因此，可以有效地使用具有有限存储容量的硬件存储器并且有效地执行模式匹配功能。

公开(公告)号：US07613669B2

公开(公告)日：2009-11-03

申请号：US11453954

申请日：2006-06-14

申请人： Seung Won Shin ,  Jin Tae Oh ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Seung Won Shin ,  Jin Tae Oh ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06N5/02 ,  G06F9/26 ,  G06F9/34 ,  G06F7/00 ,  G06F17/30

CPC分类号： G06F21/56 ,  G06F17/30949 ,  G06F21/55 ,  G06F21/567 ,  G06K9/62 ,  Y10S707/99936

摘要： A method and apparatus for storing pattern matching data and a pattern matching method using the method and apparatus are provided. The method of storing original data for pattern matching in a pattern matching apparatus includes: dividing the original data into segments of a predetermined size; performing a hash operation on each of the divided segments; determining whether or not the hash operation value of each segment causes a hash collision with a hash operation value stored in a first external memory disposed outside the pattern matching apparatus; and controlling the hash operation value of each segment determined not to cause a hash collision to be stored in the first external memory. According to the method and apparatus, the original data desired to be used for pattern matching can be stored at a faster speed in a pattern matching data storing apparatus.

摘要翻译： 提供一种用于存储模式匹配数据的方法和装置以及使用该方法和装置的模式匹配方法。 在模式匹配装置中存储用于模式匹配的原始数据的方法包括：将原始数据划分成预定大小的段; 对每个分割的段执行散列操作; 确定每个段的散列操作值是否与存储在布置在模式匹配装置外部的第一外部存储器中的散列操作值引起哈希冲突; 并且将被确定为不引起散列冲突的每个段的散列操作值控制在第一外部存储器中。 根据该方法和装置，可以在模式匹配数据存储装置中以更快的速度存储期望用于模式匹配的原始数据。

公开(公告)号：US20090158431A1

公开(公告)日：2009-06-18

申请号：US12333490

申请日：2008-12-12

申请人： Dae Won KIM ,  Ik Kyun KIM ,  Yang Seo CHOI ,  Seung Yong YOON ,  Byoung Koo KIM ,  Jin Tae OH ,  Jong Soo JANG

发明人： Dae Won KIM ,  Ik Kyun KIM ,  Yang Seo CHOI ,  Seung Yong YOON ,  Byoung Koo KIM ,  Jin Tae OH ,  Jong Soo JANG

IPC分类号： G06F11/00

CPC分类号： H04L63/1416 ,  G06F21/566

摘要： There is provided a method of detecting a polymorphic shell code. The decoding routine of the polymorphic shell code is detected from received data. In order for the decoding routine to access the address of an encoded code, the address of a currently executed code is stored in a stack, the value is moved in a register table, and it is determined whether the value is actually used for operating a memory. Emulation is finally performed and the degree of correctness of detection is improved. Therefore, time spent on detecting the polymorphic shell code and an overhead are reduced and the correctness of detection is increased.

摘要翻译： 提供了一种检测多态shell代码的方法。 从接收的数据中检测多态shell码的解码程序。 为了使解码程序访问编码的地址，当前执行的代码的地址被存储在堆栈中，该值被移动到寄存器表中，并且确定该值是否实际用于操作 记忆。 最后进行仿真，提高检测的正确性。 因此，用于检测多态shell代码和开销的时间减少，并且检测的正确性增加。

公开(公告)号：US08166545B2

公开(公告)日：2012-04-24

申请号：US12044393

申请日：2008-03-07

申请人： Dae Won Kim ,  Yang Seo Choi ,  Ik Kyun Kim ,  Jin Tae Oh ,  Jong Soo Jang

发明人： Dae Won Kim ,  Yang Seo Choi ,  Ik Kyun Kim ,  Jin Tae Oh ,  Jong Soo Jang

IPC分类号： G06F11/00

CPC分类号： H04L43/18 ,  H04L63/1408 ,  H04L63/145

摘要： There are provided an apparatus and method for detecting an executable code, capable of verifying reliability of an extracted signature by determining whether there is present an executable code in network data by using instruction pattern information related calling mechanism of function for distinguishing the executable code from a non-executable code, the method including: forming instructions by reverse assembling network data suspicious as an attack; comparing the respective formed instructions with instruction patterns according to calling mechanism of function; and determining whether there is present an executable code in the network data according to a result of the comparing.

摘要翻译： 提供了一种用于检测可执行代码的装置和方法，其能够通过使用指令模式信息相关的调用机制来确定是否存在网络数据中的可执行代码来验证提取的签名的可靠性，以便将可执行代码与 不可执行代码，该方法包括：通过将可疑的网络数据反向组合为攻击来形成指令; 根据功能的调用机制将各形成的指令与指令模式进行比较; 以及根据所述比较的结果确定是否存在所述网络数据中的可执行代码。

公开(公告)号：US07865955B2

公开(公告)日：2011-01-04

申请号：US11924100

申请日：2007-10-25

申请人： Hwa Shin Moon ,  Sung Won Yi ,  Jin Tae Oh

发明人： Hwa Shin Moon ,  Sung Won Yi ,  Jin Tae Oh

IPC分类号： G06F11/00 ,  G06F12/14 ,  H04L9/00

CPC分类号： H04L63/1416 ,  H04L63/0227 ,  H04L69/22

摘要： An apparatus and method for extracting signature candidates and optimizing a corresponding signature are provided. The apparatus includes a packet separator, a header parser, a traffic information generator, a substring extractor, and a signature candidate extractor. The packet separator separates a packet into a header and a payload. The header information parser parses the header information, and the traffic information generator generates traffic information. The substring extractor measures a frequency of appearing of a substring with a predetermined length in the separated payload for a constant observation period, and extracts a substring having a frequency higher than a predetermined setup value by updating the measured frequency information to a substring frequency table. The signature candidate extractor generates a signature by collecting the extracted substring information and the generated traffic information, updates a signature frequency table, and extracts a signature candidate with reference to information of the signature frequency table.

摘要翻译： 提供了一种用于提取签名候选和优化对应签名的装置和方法。 该装置包括分组分离器，头解析器，交通信息发生器，子串提取器和签名候选提取器。 分组分离器将分组分离成报头和有效载荷。 标题信息解析器解析标题信息，并且交通信息生成器生成交通信息。 子串提取器测量在分离的有效载荷中具有预定长度的子串的出现频率用于恒定观察周期，并且通过将测量的频率信息更新为子串频率表来提取具有高于预定设置值的频率的子串。 签名候选提取器通过收集所提取的子字符串信息和生成的交通信息来生成签名，更新签名频率表，并且参考签名频率表的信息来提取签名候选。