公开(公告)号：US08065729B2

公开(公告)日：2011-11-22

申请号：US11947673

申请日：2007-11-29

申请人： Sung Won Yi ,  Hwa Shin Moon ,  Young Chan Shin ,  Jin Tae Oh

发明人： Sung Won Yi ,  Hwa Shin Moon ,  Young Chan Shin ,  Jin Tae Oh

IPC分类号： G06F11/00 ,  G06F12/14 ,  G06F15/173 ,  H04L9/32

CPC分类号： H04L63/1416 ,  G06F21/552 ,  G06F21/56

摘要： Provided is a method and apparatus for generating a network attack signature capable of generating a signature having a high reliability while minimizing a whitelist used to prevent false positive. An application header and application data are separated from each other to measure byte distributions of the application header and the application data from an input packet. When an attack signature is generated by analyzing the measured byte distributions, a substring of the application data is used to generate the attack signature, and a substring of the application header is used as supporting information on the signature.

摘要翻译： 提供了一种用于生成能够生成具有高可靠性的签名的网络攻击签名的方法和装置，同时最小化用于防止假阳性的白名单。 应用程序头和应用程序数据彼此分离，以测量来自输入分组的应用程序头部和应用程序数据的字节分布。 当通过分析测量的字节分布生成攻击签名时，应用数据的子字符串用于生成攻击签名，应用头的子字符串用作签名的支持信​​息。

公开(公告)号：US07865955B2

公开(公告)日：2011-01-04

申请号：US11924100

申请日：2007-10-25

申请人： Hwa Shin Moon ,  Sung Won Yi ,  Jin Tae Oh

发明人： Hwa Shin Moon ,  Sung Won Yi ,  Jin Tae Oh

IPC分类号： G06F11/00 ,  G06F12/14 ,  H04L9/00

CPC分类号： H04L63/1416 ,  H04L63/0227 ,  H04L69/22

摘要： An apparatus and method for extracting signature candidates and optimizing a corresponding signature are provided. The apparatus includes a packet separator, a header parser, a traffic information generator, a substring extractor, and a signature candidate extractor. The packet separator separates a packet into a header and a payload. The header information parser parses the header information, and the traffic information generator generates traffic information. The substring extractor measures a frequency of appearing of a substring with a predetermined length in the separated payload for a constant observation period, and extracts a substring having a frequency higher than a predetermined setup value by updating the measured frequency information to a substring frequency table. The signature candidate extractor generates a signature by collecting the extracted substring information and the generated traffic information, updates a signature frequency table, and extracts a signature candidate with reference to information of the signature frequency table.

摘要翻译： 提供了一种用于提取签名候选和优化对应签名的装置和方法。 该装置包括分组分离器，头解析器，交通信息发生器，子串提取器和签名候选提取器。 分组分离器将分组分离成报头和有效载荷。 标题信息解析器解析标题信息，并且交通信息生成器生成交通信息。 子串提取器测量在分离的有效载荷中具有预定长度的子串的出现频率用于恒定观察周期，并且通过将测量的频率信息更新为子串频率表来提取具有高于预定设置值的频率的子串。 签名候选提取器通过收集所提取的子字符串信息和生成的交通信息来生成签名，更新签名频率表，并且参考签名频率表的信息来提取签名候选。

公开(公告)号：US20090158427A1

公开(公告)日：2009-06-18

申请号：US12331613

申请日：2008-12-10

申请人： Byoung Koo Kim ,  Jin Tae Oh ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Byoung Koo Kim ,  Jin Tae Oh ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F21/00

CPC分类号： H04L63/0263 ,  G06F17/30985 ,  H04L63/1408

摘要： Enclosed are a signature string storage memory optimizing method, a signature string pattern matching method, and a signature matching engine. Signature is tokenized in units of substrings and the tokenized substrings are stored in an internal memory block and an external memory block to optimize a memory storage pattern. Therefore, matching of introduction data to signature patterns is effectively performed.

摘要翻译： 封闭的是签名字符串存储内存优化方法，签名字符串模式匹配方法和签名匹配引擎。 签名以子字符串为单位，令牌化子字符串存储在内部存储块和外部存储器块中，以优化存储器存储模式。 因此，有效地执行引入数据与签名图案的匹配。

公开(公告)号：US08166545B2

公开(公告)日：2012-04-24

申请号：US12044393

申请日：2008-03-07

申请人： Dae Won Kim ,  Yang Seo Choi ,  Ik Kyun Kim ,  Jin Tae Oh ,  Jong Soo Jang

发明人： Dae Won Kim ,  Yang Seo Choi ,  Ik Kyun Kim ,  Jin Tae Oh ,  Jong Soo Jang

IPC分类号： G06F11/00

CPC分类号： H04L43/18 ,  H04L63/1408 ,  H04L63/145

摘要： There are provided an apparatus and method for detecting an executable code, capable of verifying reliability of an extracted signature by determining whether there is present an executable code in network data by using instruction pattern information related calling mechanism of function for distinguishing the executable code from a non-executable code, the method including: forming instructions by reverse assembling network data suspicious as an attack; comparing the respective formed instructions with instruction patterns according to calling mechanism of function; and determining whether there is present an executable code in the network data according to a result of the comparing.

摘要翻译： 提供了一种用于检测可执行代码的装置和方法，其能够通过使用指令模式信息相关的调用机制来确定是否存在网络数据中的可执行代码来验证提取的签名的可靠性，以便将可执行代码与 不可执行代码，该方法包括：通过将可疑的网络数据反向组合为攻击来形成指令; 根据功能的调用机制将各形成的指令与指令模式进行比较; 以及根据所述比较的结果确定是否存在所述网络数据中的可执行代码。

公开(公告)号：US20070297410A1

公开(公告)日：2007-12-27

申请号：US11633174

申请日：2006-12-04

申请人： Seung Yong Yoon ,  Jin Tae Oh ,  Jong Soo Jang

发明人： Seung Yong Yoon ,  Jin Tae Oh ,  Jong Soo Jang

IPC分类号： H04L12/56

CPC分类号： H04L63/0227 ,  H04L63/0254 ,  H04L67/14

摘要： A real-time stateful packet inspection method and apparatus is provided, which uses a session table processing method that can efficiently generate state information. In the apparatus, a session table stores session data of a packet received from an external network. A hash key generator hashes a parameter extracted from the received packet and generates a hash pointer of the session table corresponding to the packet. A session detection module searches the session table for a session corresponding to the received packet. A session management module performs management of the session table such as addition, deletion, and change of sessions of the session table. A packet inspection module generates state information corresponding to the received packet from both directionality information of the packet and entry header information of the packet stored in the session table and then inspects the packet based on the generated state information.

摘要翻译： 提供了一种实时状态包检测方法和装置，其使用可以有效地生成状态信息的会话表处理方法。 在该装置中，会话表存储从外部网络接收到的分组的会话数据。 哈希密钥生成器从接收到的分组中提取参数，并生成与分组对应的会话表的哈希指针。 会话检测模块在会话表中搜索与接收到的分组相对应的会话。 会话管理模块执行会话表的管理，例如会话表的会话的添加，删除和更改。 分组检查模块从分组的方向性信息和存储在会话表中的分组的条目标题信息两者生成对应于接收到的分组的状态信息，然后基于生成的状态信息来检查分组。

公开(公告)号：US20100146621A1

公开(公告)日：2010-06-10

申请号：US12503288

申请日：2009-08-17

申请人： Byoung Koo Kim ,  Seung Yong Yoon ,  Ik Kyun Kim ,  Jin Tae Oh ,  Jong Soo Jang ,  Hyun Sook Cho

发明人： Byoung Koo Kim ,  Seung Yong Yoon ,  Ik Kyun Kim ,  Jin Tae Oh ,  Jong Soo Jang ,  Hyun Sook Cho

IPC分类号： G06F17/30 ,  G06F12/14 ,  G06F11/00 ,  G06F12/16 ,  G08B23/00

CPC分类号： H04L63/145 ,  G06F21/564

摘要： A method and apparatus for extracting a windows executable file that can search for a pattern related to windows executable files among a large quantity of network packets using a hardware-based session tracking and pattern matching technology and that can extract all packets included in the corresponding session are provided. The method of extracting a windows executable file includes: collecting incoming packets having a payload according to a session of a reference packet having an MZ pattern; performing a portable executable (PE) pattern matching for the collected incoming packets; and forming a PE file based on at least one incoming packet satisfying the PE pattern matching.

摘要翻译： 一种用于提取Windows可执行文件的方法和装置，其可以使用基于硬件的会话跟踪和模式匹配技术在大量网络分组中搜索与Windows可执行文件相关的模式，并且可以提取包括在相应会话中的所有分组 被提供。 提取Windows可执行文件的方法包括：根据具有MZ模式的参考分组的会话收集具有有效载荷的传入分组; 对所收集的传入分组执行匹配的便携式可执行（PE）模式; 以及基于满足PE模式匹配的至少一个输入分组形成PE文件。

公开(公告)号：US08365277B2

公开(公告)日：2013-01-29

申请号：US12331613

申请日：2008-12-10

申请人： Byoung Koo Kim ,  Jin Tae Oh ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Byoung Koo Kim ,  Jin Tae Oh ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F11/00 ,  G06F12/14 ,  G06F7/04

CPC分类号： H04L63/0263 ,  G06F17/30985 ,  H04L63/1408

摘要： Enclosed are a signature string storage memory optimizing method, a signature string pattern matching method, and a signature matching engine. Signature is tokenized in units of substrings and the tokenized substrings are stored in an internal memory block and an external memory block to optimize a memory storage pattern. Therefore, matching of introduction data to signature patterns is effectively performed.

摘要翻译： 封闭的是签名字符串存储内存优化方法，签名字符串模式匹配方法和签名匹配引擎。 签名以子字符串为单位，令牌化子字符串存储在内部存储块和外部存储器块中，以优化存储器存储模式。 因此，有效地执行引入数据与签名图案的匹配。

公开(公告)号：US08095973B2

公开(公告)日：2012-01-10

申请号：US11926132

申请日：2007-10-29

申请人： Ik Kyun Kim ,  Yang Seo Choi ,  Dae Won Kim ,  Jin Tae Oh ,  Jong Soo Jang

发明人： Ik Kyun Kim ,  Yang Seo Choi ,  Dae Won Kim ,  Jin Tae Oh ,  Jong Soo Jang

IPC分类号： G06F9/00 ,  G06F15/16 ,  G06F17/00 ,  G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00

CPC分类号： H04L63/1408

摘要： There are provided a network attack detection apparatus and method capable of determining even unknown network attack, the apparatus connected between two networks or connected by port mirroring of an Ethernet switch to real-time monitor all packets flowing through the networks. The apparatus decodes a payload portion of an inputted network packet into a machine code instruction, determines whether an executable code is included in the decoded machine code by analyzing relationship between instructions, and determines whether the packet is harmful based on statistics with respect to a possibility that an executable code exists in a service and a certain transaction of the service when the executable code is included.

摘要翻译： 提供了能够确定甚至未知网络攻击的网络攻击检测装置和方法，连接在两个网络之间的装置或通过以太网交换机的端口镜像连接的实时监视通过网络流动的所有分组的网络攻击检测装置和方法。 该装置将输入的网络分组的有效载荷部分解码为机器码指令，通过分析指令之间的关系来确定解码的机器码中是否包括可执行代码，并且基于关于可能性的统计来确定分组是否有害 当包括可执行代码时，可执行代码存在于服务和服务的某个事务中。

公开(公告)号：US20090133125A1

公开(公告)日：2009-05-21

申请号：US12209249

申请日：2008-09-12

申请人： Yang Seo Choi ,  Ik Kyun Kim ,  Byoung Koo Kim ,  Seung Yong Yoon ,  Dae Won Kim ,  Jin Tae Oh ,  Jong Soo Jang

发明人： Yang Seo Choi ,  Ik Kyun Kim ,  Byoung Koo Kim ,  Seung Yong Yoon ,  Dae Won Kim ,  Jin Tae Oh ,  Jong Soo Jang

IPC分类号： G06F21/00

CPC分类号： G06F21/562 ,  G06F21/56

摘要： The present invention relates to an apparatus and method for detecting malware. The malware detection apparatus and method of the present invention determines whether a file is malware or not by analyzing the header of an executable file. Since the malware detection apparatus and method can quickly detect presence of malware, it can shorten detection time considerably. The malware detection apparatus and method can also detect even unknown malware as well as known malware to thereby estimate and determine presence of malware. Therefore, it is possible to cope with malware in advance, protect a system with a program, and increase security level remarkably.

摘要翻译： 本发明涉及一种用于检测恶意软件的装置和方法。 本发明的恶意软件检测装置和方法通过分析可执行文件的标题来确定文件是否是恶意软件。 由于恶意软件检测装置和方法可以快速检测恶意软件的存在，因此可以大大缩短检测时间。 恶意软件检测装置和方法还可以检测甚至未知的恶意软件以及已知的恶意软件，从而估计和确定恶意软件的存在。 因此，可以提前应对恶意软件，用程序保护系统，显着提高安全等级。

公开(公告)号：US20080134334A1

公开(公告)日：2008-06-05

申请号：US11926132

申请日：2007-10-29

申请人： Ik Kyun Kim ,  Yang Seo Choi ,  Dae Won Kim ,  Jin Tae Oh ,  Jong Soo Jang

发明人： Ik Kyun Kim ,  Yang Seo Choi ,  Dae Won Kim ,  Jin Tae Oh ,  Jong Soo Jang

IPC分类号： G06F11/00

CPC分类号： H04L63/1408

摘要： There are provided a network attack detection apparatus and method capable of determining even unknown network attack, the apparatus connected between two networks or connected by port mirroring of an Ethernet switch to real-time monitor all packets flowing through the networks. The apparatus decodes a payload portion of an inputted network packet into a machine code instruction, determines whether an executable code is included in the decoded machine code by analyzing relationship between instructions, and determines whether the packet is harmful based on statistics with respect to a possibility that an executable code exists in a service and a certain transaction of the service when the executable code is included.

摘要翻译： 提供了能够确定甚至未知网络攻击的网络攻击检测装置和方法，连接在两个网络之间的装置或通过以太网交换机的端口镜像连接的实时监视通过网络流动的所有分组的网络攻击检测装置和方法。 该装置将输入的网络分组的有效载荷部分解码为机器码指令，通过分析指令之间的关系来确定解码的机器码中是否包括可执行代码，并且基于关于可能性的统计来确定分组是否有害 当包括可执行代码时，可执行代码存在于服务和服务的某个事务中。