公开(公告)号：US08813226B2

公开(公告)日：2014-08-19

申请号：US12879691

申请日：2010-09-10

Applicant: Yoon Jung Chung ,  Yo Sik Kim ,  Won Ho Kim ,  Dong Soo Kim ,  Sang Kyun Noh ,  Young Tae Yun ,  Cheol Won Lee

Inventor： Yoon Jung Chung ,  Yo Sik Kim ,  Won Ho Kim ,  Dong Soo Kim ,  Sang Kyun Noh ,  Young Tae Yun ,  Cheol Won Lee

IPC: G06F21/00 ,  G06F21/56 ,  G06F9/455 ,  G06F21/55 ,  H04L29/06

CPC classification number: G06F9/455 ,  G06F21/55 ,  G06F21/554 ,  G06F21/56 ,  G06F21/566 ,  G06F2212/151 ,  H04L29/06877 ,  H04L29/06891 ,  H04L29/06911 ,  H04L29/06918 ,  H04L63/14 ,  H04L63/1416 ,  H04L63/1441 ,  H04L2463/144

Abstract: A defense method and device against intelligent bots using masqueraded virtual machine information are provided. The method includes performing global hooking on a virtual machine detection request transmitted by a process, determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process, and when the process is found to correspond to the malicious process as a result of the determination, determining that the process is generated by the intelligent bot, and returning the masqueraded virtual machine information to the process.

Abstract translation: 提供了使用伪装的虚拟机信息的针对智能机器人的防御方法和设备。 该方法包括对由进程发送的虚拟机检测请求执行全局挂接，根据预先存储的恶意进程信息确定发送虚拟机检测请求的进程是否对应于恶意进程，以及何时 发现过程与恶意进程对应，作为确定的结果，确定该进程是由智能机器人生成的，并将伪装的虚拟机信息返回到该进程。

公开(公告)号：US08706866B2

公开(公告)日：2014-04-22

申请号：US12985728

申请日：2011-01-06

Applicant: Sang Kyun Noh ,  Young Tae Yun ,  Dong Soo Kim ,  Yo Sik Kim ,  Yoon Jung Chung ,  Won Ho Kim ,  Yu Jung Han ,  Cheol Won Lee

Inventor： Sang Kyun Noh ,  Young Tae Yun ,  Dong Soo Kim ,  Yo Sik Kim ,  Yoon Jung Chung ,  Won Ho Kim ,  Yu Jung Han ,  Cheol Won Lee

IPC: G06F21/20 ,  G06F15/173

CPC classification number: H04L63/1458 ,  G06F21/44 ,  H04L67/146

Abstract: Provided are a virtual server and method for identifying a zombie, and a sinkhole server and method for integratedly managing zombie information. The virtual server includes an authentication processing module authenticating a host using a CAPTCHA test and providing a cookie to the authenticated host when a web server access request message received from the host does not include a cookie, a cookie value verification module for extracting a cookie value from the web server access request message and verifying the extracted cookie value when the web server access request message includes a cookie, a web page access inducement module for inducing the host to access a web server when the cookie value is verified, and a zombie identification module for blocking access of the host when the cookie value is not verified, and identifying the host as a zombie when the number of blocking operations exceeds a threshold value.

Abstract translation: 提供了用于识别僵尸的虚拟服务器和方法，以及用于综合管理僵尸信息的宿窝服务器和方法。 虚拟服务器包括认证处理模块，使用CAPTCHA测试认证主机，并且当从主机接收到的web服务器访问请求消息不包括cookie时，向认证主机提供cookie，用于提取cookie值的cookie值验证模块 当web服务器访问请求消息包括cookie时，从Web服务器访问请求消息和验证提取的cookie值，当cookie值被验证时用于诱导主机访问web服务器的网页访问诱导模块，以及僵尸识别 当cookie值未被验证时阻止主机访问的模块，以及当阻塞操作次数超过阈值时将主机识别为僵尸。

公开(公告)号：US08069332B2

公开(公告)日：2011-11-29

申请号：US12208467

申请日：2008-09-11

Applicant: Myeong Ryeol Choi ,  Yo Sik Kim ,  Sangseo Park

Inventor： Myeong Ryeol Choi ,  Yo Sik Kim ,  Sangseo Park

IPC: G06F12/10

CPC classification number: G06F11/0715 ,  G06F11/0742 ,  G06F11/0778

Abstract: A device and method for extracting data stored in a volatile memory are provided. In particular, a memory-data extracting device and method for ensuring integrity of data extracted from a volatile memory installed in a computer are provided. A memory-data extracting module extracts data stored in a memory. A module loader loads the memory-data extracting module in a kernel region of the memory and sets a priority of the loaded memory-data extracting module to be higher than priorities of kernel processors loaded in the memory. Task switching can be prevented in the course of extracting memory data by loading a process for extracting memory data in a kernel region and setting a priority of the loaded process to be higher than priorities of other kernel processes, thereby ensuring the integrity of data extracted from a non-volatile memory.

Abstract translation: 提供了用于提取存储在易失性存储器中的数据的装置和方法。 特别地，提供了一种用于确保从安装在计算机中的易失性存储器提取的数据的完整性的存储器数据提取装置和方法。 存储器数据提取模块提取存储在存储器中的数据。 模块加载器将存储器数据提取模块加载到存储器的内核区域中，并将加载的存储器数据提取模块的优先级设置为高于加载到存储器中的内核处理器的优先级。 在通过加载用于提取内核区域中的存储器数据的处理并且将加载处理的优先级设置为高于其他内核进程的优先级的处理来提取存储器数据的过程中，可以防止任务切换，从而确保从 非易失性存储器。

公开(公告)号：US20110271342A1

公开(公告)日：2011-11-03

申请号：US12879691

申请日：2010-09-10

Applicant: Yoon Jung CHUNG ,  Yo Sik KIM ,  Won Ho KIM ,  Dong Soo KIM ,  Sang Kyun NOH ,  Young Tae YUN ,  Cheol Won LEE

Inventor： Yoon Jung CHUNG ,  Yo Sik KIM ,  Won Ho KIM ,  Dong Soo KIM ,  Sang Kyun NOH ,  Young Tae YUN ,  Cheol Won LEE

IPC: G06F11/00

CPC classification number: G06F9/455 ,  G06F21/55 ,  G06F21/554 ,  G06F21/56 ,  G06F21/566 ,  G06F2212/151 ,  H04L29/06877 ,  H04L29/06891 ,  H04L29/06911 ,  H04L29/06918 ,  H04L63/14 ,  H04L63/1416 ,  H04L63/1441 ,  H04L2463/144

Abstract: A defense method and device against intelligent bots using masqueraded virtual machine information are provided. The method includes performing global hooking on a virtual machine detection request transmitted by a process, determining, on the basis of pre-stored malicious process information, whether or not, the process transmitting the virtual machine detection request corresponds to a malicious process, and when the process is found to correspond to the malicious process as a result of the determination, determining that the process is generated by the intelligent bot, and returning the masqueraded virtual machine information to the process.

Abstract translation: 提供了使用伪装的虚拟机信息的针对智能机器人的防御方法和设备。 该方法包括对由进程发送的虚拟机检测请求执行全局挂接，根据预先存储的恶意进程信息确定发送虚拟机检测请求的处理是否对应于恶意进程，以及何时 发现该过程对应于作为确定的结果的恶意进程，确定该过程由智能bot生成，并将伪装的虚拟机信息返回到该过程。

公开(公告)号：US20090164740A1

公开(公告)日：2009-06-25

申请号：US12208467

申请日：2008-09-11

Applicant: Myeong Ryeol CHOI ,  Yo Sik KIM ,  Sangseo PARK

Inventor： Myeong Ryeol CHOI ,  Yo Sik KIM ,  Sangseo PARK

IPC: G06F12/00

CPC classification number: G06F11/0715 ,  G06F11/0742 ,  G06F11/0778

Abstract: A device and method for extracting data stored in a volatile memory are provided. In particular, a memory-data extracting device and method for ensuring integrity of data extracted from a volatile memory installed in a computer are provided. A memory-data extracting module extracts data stored in a memory. A module loader loads the memory-data extracting module in a kernel region of the memory and sets a priority of the loaded memory-data extracting module to be higher than priorities of kernel processors loaded in the memory. Task switching can be prevented in the course of extracting memory data by loading a process for extracting memory data in a kernel region and setting a priority of the loaded process to be higher than priorities of other kernel processes, thereby ensuring the integrity of data extracted from a non-volatile memory.

Abstract translation: 提供了用于提取存储在易失性存储器中的数据的装置和方法。 特别地，提供了一种用于确保从安装在计算机中的易失性存储器提取的数据的完整性的存储器数据提取装置和方法。 存储器数据提取模块提取存储在存储器中的数据。 模块加载器将存储器数据提取模块加载到存储器的内核区域中，并将加载的存储器数据提取模块的优先级设置为高于加载到存储器中的内核处理器的优先级。 通过加载用于提取内核区域中的存储器数据的处理并将加载处理的优先级设置为高于其他内核进程的优先级，从而可以在提取存储器数据的过程中防止任务切换，从而确保从 非易失性存储器。

公开(公告)号：US08955124B2

公开(公告)日：2015-02-10

申请号：US12985252

申请日：2011-01-05

Applicant: Yo Sik Kim ,  Sang Kyun Noh ,  Yoon Jung Chung ,  Dong Soo Kim ,  Won Ho Kim ,  Yu Jung Han ,  Young Tae Yun ,  Ki Wook Sohn ,  Cheol Won Lee

Inventor： Yo Sik Kim ,  Sang Kyun Noh ,  Yoon Jung Chung ,  Dong Soo Kim ,  Won Ho Kim ,  Yu Jung Han ,  Young Tae Yun ,  Ki Wook Sohn ,  Cheol Won Lee

IPC: G06F21/00 ,  G06F21/56

CPC classification number: G06F21/566

Abstract: Provided are an apparatus, system and method for detecting malicious code inserted into a normal process in disguise. The apparatus includes a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code.

Abstract translation: 提供了一种用于检测插入到伪装的正常进程中的恶意代码的装置，系统和方法。 该装置包括恶意代码检测模块，用于提取由计算机系统上运行的进程生成的线程的信息，以识别与该线程相关的代码，初步确定所识别的代码是否是恶意的，并提取初步确定为恶意的代码 ; 以及强制恶意代码终止模块，用于基于在虚拟环境中执行的提取的代码的行为的分析结果，最终将代码确定为恶意代码，并强制终止代码的执行。

公开(公告)号：US20110271343A1

公开(公告)日：2011-11-03

申请号：US12985252

申请日：2011-01-05

Applicant: Yo Sik Kim ,  Sang Kyun Noh ,  Yoon Jung Chung ,  Dong Soo Kim ,  Won Ho Kim ,  Yu Jung Han ,  Young Tae Yun ,  Ki Wook Sohn ,  Cheol Won Lee

Inventor： Yo Sik Kim ,  Sang Kyun Noh ,  Yoon Jung Chung ,  Dong Soo Kim ,  Won Ho Kim ,  Yu Jung Han ,  Young Tae Yun ,  Ki Wook Sohn ,  Cheol Won Lee

IPC: G06F21/00

CPC classification number: G06F21/566

Abstract: Provided are an apparatus, system and method for detecting malicious code inserted into a normal process in disguise. The apparatus includes a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code.

Abstract translation: 提供了一种用于检测插入到伪装的正常进程中的恶意代码的装置，系统和方法。 该装置包括恶意代码检测模块，用于提取由计算机系统上运行的进程生成的线程的信息，以识别与该线程相关的代码，初步确定所识别的代码是否是恶意的，并提取初步确定为恶意的代码 ; 以及强制恶意代码终止模块，用于基于在虚拟环境中执行的提取的代码的行为的分析结果，最终将代码确定为恶意代码，并强制终止代码的执行。

公开(公告)号：US20110270969A1

公开(公告)日：2011-11-03

申请号：US12985728

申请日：2011-01-06

Applicant: Sang Kyun Noh ,  Young Tae Yun ,  Dong Soo Kim ,  Yo Sik Kim ,  Yoon Jung Chung ,  Won Ho Kim ,  Yu Jung Han ,  Cheol Won Lee

Inventor： Sang Kyun Noh ,  Young Tae Yun ,  Dong Soo Kim ,  Yo Sik Kim ,  Yoon Jung Chung ,  Won Ho Kim ,  Yu Jung Han ,  Cheol Won Lee

IPC: G06F21/20 ,  G06F15/173

CPC classification number: H04L63/1458 ,  G06F21/44 ,  H04L67/146

Abstract: Provided are a virtual server and method for identifying a zombie, and a sinkhole server and method for integratedly managing zombie information. The virtual server includes an authentication processing module authenticating a host using a CAPTCHA test and providing a cookie to the authenticated host when a web server access request message received from the host does not include a cookie, a cookie value verification module for extracting a cookie value from the web server access request message and verifying the extracted cookie value when the web server access request message includes a cookie, a web page access inducement module for inducing the host to access a web server when the cookie value is verified, and a zombie identification module for blocking access of the host when the cookie value is not verified, and identifying the host as a zombie when the number of blocking operations exceeds a threshold value.

Abstract translation: 提供了用于识别僵尸的虚拟服务器和方法，以及用于综合管理僵尸信息的宿窝服务器和方法。 虚拟服务器包括认证处理模块，使用CAPTCHA测试认证主机，并且当从主机接收到的web服务器访问请求消息不包括cookie时，向认证主机提供cookie，用于提取cookie值的cookie值验证模块 当web服务器访问请求消息包括cookie时，从Web服务器访问请求消息和验证提取的cookie值，当cookie值被验证时用于诱导主机访问web服务器的网页访问诱导模块，以及僵尸识别 当cookie值未被验证时阻止主机访问的模块，以及当阻塞操作次数超过阈值时将主机识别为僵尸。