公开(公告)号：US20140047543A1

公开(公告)日：2014-02-13

申请号：US13958552

申请日：2013-08-03

Applicant: Electronics and Telecommunications Research Institute

Inventor： Sung-Jin KIM ,  Jong-Moon LEE ,  Byung-Chul BAE ,  Hyung-Geun OH ,  Ki-Wook SOHN

IPC: H04L29/06

CPC classification number: H04L63/1441 ,  H04L2463/144

Abstract: An apparatus and method for detecting a Hyper Text Transfer Protocol (HTTP) botnet based on the densities of transactions. The apparatus includes a collection management unit, a web transaction classification unit, and a filtering unit. The collection management unit extracts metadata from HTTP request packets collected by a traffic collection sensor. The web transaction classification unit extracts web transactions by analyzing the metadata, and generates a gray list by arranging the extracted web transactions according to the frequency of access. The filtering unit detects an HTTP botnet by filtering the gray list based on a white list and a black list.

Abstract translation: 一种基于事务密度检测超文本传输​​协议（HTTP）僵尸网络的装置和方法。 该装置包括收集管理单元，网络交易分类单元和过滤单元。 收集管理单元从由流量采集传感器收集的HTTP请求数据包中提取元数据。 Web事务分类单元通过分析元数据来提取Web事务，并且通过根据访问频率排列提取的Web事务来生成灰色列表。 过滤单元通过基于白名单和黑名单过滤灰名单来检测HTTP僵尸网络。

公开(公告)号：US20140157356A1

公开(公告)日：2014-06-05

申请号：US13946852

申请日：2013-07-19

Applicant: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE

Inventor： Jae-Sung LEE ,  Jung-Min KANG ,  Byung-Chul BAE

IPC: H04L29/06

CPC classification number: H04L63/0263 ,  H04L63/0227 ,  H04L63/1433 ,  H04L63/1466

Abstract: A firewall policy inspection apparatus and method is provided. The firewall policy inspection apparatus includes an intrusion prevention rule obtainment unit for obtaining intrusion prevention rules from a target firewall policy. An anomaly rule detection unit detects an anomaly rule in a relationship between the intrusion prevention rules. A screen display unit displays an anomaly rule graph on a screen using results of the detection.

Abstract translation: 提供了防火墙策略检查装置和方法。 防火墙策略检查装置包括从目标防火墙策略获取入侵防御规则的入侵防御规则获取单元。 异常规则检测单元检测入侵防范规则之间的关系中的异常规则。 屏幕显示单元使用检测结果在屏幕上显示异常规则图。

公开(公告)号：US20140123288A1

公开(公告)日：2014-05-01

申请号：US14023635

申请日：2013-09-11

Applicant: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE

Inventor： Sung-Ryoul LEE ,  Young-Han CHOI ,  Jung-Hee LEE ,  Byung-Chul BAE ,  Hyung-Geun OH ,  Ki-Wook SOHN

IPC: H04L29/06

CPC classification number: H04L63/1416

Abstract: A network intrusion detection apparatus and method that perform Perl Compatible Regular Expressions (PCRE)-based pattern matching on the payloads of packets using a network processor equipped with a Deterministic Finite Automata (DFA) engine. The network intrusion detection apparatus includes a network processor core for receiving packets from a network, and transmitting payloads of the received packets to a Deterministic Finite Automata (DFA) engine. A detection rule converter converts a PCRE-based detection rule, preset to detect an attack packet, into a detection rule including a pattern to which only PCRE grammar corresponding to the DFA engine is applied. The DFA engine performs PCRE pattern matching on the payloads of the packets based on the detection rule converted by the detection rule converter.

Abstract translation: 一种网络入侵检测装置和方法，其使用配备有确定性有限自动机（DFA）引擎的网络处理器，对分组的有效载荷执行基于Perl兼容正则表达式（PCRE）的模式匹配。 网络入侵检测装置包括用于从网络接收分组并将接收的分组的有效载荷发送到确定性有限自动机（DFA）引擎的网络处理器核心。 检测规则转换器将基于PCRE的检测规则转换为包含仅对应于DFA引擎的PCRE语法的模式的检测规则，以检测攻击包。 DFA引擎根据检测规则转换器转换的检测规则对报文的有效载荷进行PCRE模式匹配。

公开(公告)号：US20230376591A1

公开(公告)日：2023-11-23

申请号：US17953498

申请日：2022-09-27

Applicant: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE

Inventor： Sung-Jin KIM ,  In-Hyeok JANG ,  Woo-Min HWANG ,  Byung-Chul BAE ,  Byung-Joon KIM

IPC: G06F21/55 ,  G06F21/53

CPC classification number: G06F21/554 ,  G06F21/53 ,  G06F2221/034

Abstract: Disclosed herein is a method for processing a security event in a container virtualization environment. The method may include collecting designated security events in a kernel space, storing the collected security events in a security event storage module in real time, and providing a security manager with the security event corresponding to a query request from a security event management module, among the security events stored in the security event storage module.

公开(公告)号：US20170083705A1

公开(公告)日：2017-03-23

申请号：US15074497

申请日：2016-03-18

Applicant: Electronics and Telecommunications Research Institute

Inventor： Sang-Rok LEE ,  Jung-Hee LEE ,  Byung-Chul BAE

IPC: G06F21/56

CPC classification number: G06F21/566

Abstract: Disclosed herein are an apparatus and method for analyzing malicious code in a multi-core environment. The apparatus for analyzing malicious code includes a core setting unit for setting at least one monitoring core, on which malicious code is to be monitored, among cores of a multi-core Central Processing Unit (CPU), and executing a monitoring program on the monitoring core, a behavioral information collection unit for, when execution cores that are not set as the monitoring core execute analysis target code, collecting pieces of behavioral information using the monitoring program and a hardware debugging device, and a storage unit for storing the behavioral information.