公开(公告)号：US20070206498A1

公开(公告)日：2007-09-06

申请号：US11599909

申请日：2006-11-15

申请人： Beom Chang ,  Jung Na ,  Geon Kim ,  Dong Kim ,  Jin Kim ,  Hyun Kim ,  Hyo Bang ,  Soo Lee ,  Seon Sohn ,  Jong Jang ,  Sung Sohn

发明人： Beom Chang ,  Jung Na ,  Geon Kim ,  Dong Kim ,  Jin Kim ,  Hyun Kim ,  Hyo Bang ,  Soo Lee ,  Seon Sohn ,  Jong Jang ,  Sung Sohn

IPC分类号： H04L12/26

CPC分类号： H04L43/045 ,  H04L43/0817 ,  H04L43/16

摘要： A network status display device using a traffic flow-radar is provided. The network status display device includes: a traffic feature extractor calculating flow occupancy rates for total flows, micro-flows and macro-flows with respect to each of a plurality of traffic features with reference to traffic information for each traffic feature such as a network address, a port, a transmitting/receiving host address or a protocol collected by an external traffic information collector, and storing the calculation result; a traffic status display unit displaying the flow occupancy rates for each traffic feature calculated and stored in the traffic feature extractor on a radar with dots for each traffic feature; and a traffic anomaly determination unit determining whether a network status is abnormal with reference to the radar for each traffic feature, detecting and reporting the type of the abnormal network status and harmful or abnormal traffic that generates the abnormal network status, when the abnormal status occurs.

摘要翻译： 提供了使用交通流量雷达的网络状态显示装置。 网络状态显示装置包括：业务特征提取器，参考每个业务特征（例如网络地址）的业务信息来计算关于多个业务特征中的每一个的总流量，微流量和宏流量的流量占用率 ，端口，发送/接收主机地址或由外部交通信息收集器收集的协议，并存储计算结果; 交通状态显示单元，其显示针对每个交通特征点的雷达上计算并存储在交通特征提取器中的每个交通特征的流量占用率; 以及交通异常判定单元，针对每个流量特征，参照雷达确定网络状态是否异常，检测和报告异常网络状态的类型以及产生异常网络状态的有害或异常流量，当发生异常状态时 。

公开(公告)号：US20060119486A1

公开(公告)日：2006-06-08

申请号：US11081682

申请日：2005-03-17

申请人： Jin Kim ,  Seon Sohn ,  Hyochan Bang ,  Soo Lee ,  Dongyoung Kim ,  Beom Chang ,  Geon Kim ,  Hyun Kim ,  Jung Na ,  Jong Jang ,  Sung Sohn

发明人： Jin Kim ,  Seon Sohn ,  Hyochan Bang ,  Soo Lee ,  Dongyoung Kim ,  Beom Chang ,  Geon Kim ,  Hyun Kim ,  Jung Na ,  Jong Jang ,  Sung Sohn

IPC分类号： G08B5/22

CPC分类号： H04L63/1416 ,  G06F21/552 ,  G06F21/85 ,  H04L63/1441

摘要： Provided is an apparatus for detecting a network attack situation. The apparatus includes an alarm receiver receiving a plurality of alarms raised in a network to which the alarm receiver is connected, converting the alarms into predetermined alarm data, and outputting the alarm data; an alarm processor analyzing an attack situation in the network based on attributes of the alarm data and a number of times that the alarm data is generated; a memory storing basic data needed to analyze the state of the network and providing the basic data to the alarm processor; and an interface transmitting the result of the analysis by the alarm processor to an external device, receiving a predetermined critical value from the external device, which is a basis for determining the occurrence of the attack situation, and outputting the critical value to the alarm processor such that the alarm processor can store the critical value in the memory. Equal numbers of hash engines and detection engines for processing the alarms in the network to the number of data groups classified as network attack situations are formed in a line. Therefore, a network attack situation can be detected in real time based on a great number of alarms indicating intrusion detection.

公开(公告)号：US20060067240A1

公开(公告)日：2006-03-30

申请号：US11082031

申请日：2005-03-15

申请人： Hyun Kim ,  Soo Lee ,  Jin Kim ,  Beom Chang ,  Jung Na ,  Jong Jang

发明人： Hyun Kim ,  Soo Lee ,  Jin Kim ,  Beom Chang ,  Jung Na ,  Jong Jang

IPC分类号： G06F11/00

CPC分类号： H04L41/5032 ,  H04L41/142 ,  H04L41/145 ,  H04L43/16 ,  H04L63/1425

摘要： An apparatus for detecting a network traffic abnormality includes: a pre-processing unit pre-processing traffics collected from at least one traffic collecting point in a network; a profiler modeling a normal traffic according to a characteristic of the traffic; an analysis model unit generating the thresholds based on the traffic; and an analyzer comparing a relative ratio of the traffic to the entire network traffics and the threshold and determining whether the traffic is abnormal. A combinational use of analysis methods using the relative ratio to the entire traffics and the absolute traffic volume takes into consideration of characteristics of a relative traffic ratio and absolute traffic volume, thereby providing a more reliable determination on whether the traffic is abnormal.

摘要翻译： 一种用于检测网络流量异常的装置包括：预处理单元预处理从网络中的至少一个业务收集点收集的流量; 根据业务的特征对仿真流量进行建模的分析器; 分析模型单元，基于所述流量生成所述阈值; 以及比较流量与整个网络流量的相对比率和阈值并确定流量是否异常的分析器。 使用与整个业务相对比率和绝对业务量的分析方法的组合使用考虑了相对业务量比和绝对业务量的特性，从而为流量是否异常提供了更可靠的决定。

公开(公告)号：US20070074288A1

公开(公告)日：2007-03-29

申请号：US11527850

申请日：2006-09-26

申请人： Beom Chang ,  Jung Na ,  Geon Kim ,  Dong Kim ,  Jin Kim ,  Hyun Kim ,  Hyo Bang ,  Soo Lee ,  Seon Shon ,  Jong Jang ,  Sung Sohn

发明人： Beom Chang ,  Jung Na ,  Geon Kim ,  Dong Kim ,  Jin Kim ,  Hyun Kim ,  Hyo Bang ,  Soo Lee ,  Seon Shon ,  Jong Jang ,  Sung Sohn

IPC分类号： G06F12/14

CPC分类号： H04L43/028 ,  H04L43/062 ,  H04L43/16 ,  H04L63/1408

摘要： A network status display device using a traffic pattern map is provided. The device includes: a traffic feature extractor extracting a port number of a port having the maximum occupancy of micro-flows and macro-flows for each network address section and host address section with reference to traffic information collected by an external traffic information collector, calculating and storing an occupancy rate of the port; a traffic status display unit making a network traffic pattern map expressed by destination-source network addresses and a host traffic pattern map expressed by destination-source host addresses and displaying the port information stored in the traffic feature extractor on the network traffic pattern map and the host traffic pattern map; and a traffic anomaly determination unit determining whether a network status is abnormal with reference to the network traffic pattern map and the host traffic pattern map and detecting and reporting a harmful or abnormal traffic which causes the abnormal network status. The device can determine whether the anomaly deteriorating the network performance exists and can easily and quickly detect the harmful or abnormal traffic which causes the anomaly by the use of the port information of the port having the maximum occupancy of the micro-flows and the macro-flows for each network address section and each host address section.

摘要翻译： 提供了使用业务模式图的网络状态显示设备。 该设备包括：流量特征提取器，参考由外部交通信息收集器收集的交通信息，提取每个网络地址部分和主机地址部分具有最大占用微流量和宏流量的端口的端口号，计算 并存储所述端口的占用率; 形成由目的地源网络地址表示的网络流量模式图的流量状态显示单元和由目的地 - 源主机地址表示的主机流量模式图，并且在网络流量模式图上显示存储在流量特征提取器中的端口信息，并且 主机流量模式图; 以及流量异常判定单元，基于网络流量模式图和主机流量模式图来判断网络状态是否异常，并检测并报告导致异常网络状态的有害或异常流量。 该设备可以确定异常是否存在网络性能恶化，并可以通过使用具有微流量最大占用端口的端口信息和宏观流量来轻松快速地检测导致异常的有害或异常流量， 每个网络地址部分和每个主机地址部分的流程。

公开(公告)号：US20060098579A1

公开(公告)日：2006-05-11

申请号：US11077638

申请日：2005-03-11

申请人： Beom Chang ,  Soo Lee ,  Jin Kim ,  Jung Na ,  Jong Jang ,  Sung Sohn

发明人： Beom Chang ,  Soo Lee ,  Jin Kim ,  Jung Na ,  Jong Jang ,  Sung Sohn

IPC分类号： H04L1/00

CPC分类号： H04L41/22 ,  H04L41/06 ,  H04L43/0817

摘要： Provided is an apparatus for detecting and visualizing anomalies in network traffic which includes a traffic information storing portion storing information on network traffic, a traffic state display portion presenting a status of the network traffic generated for a predetermined threshold time based on the information on network traffic on an orthogonal coordinates system in a form of a graph connecting at least one point data as a coordinate value, and a traffic anomalies determination portion determining an existence of anomalies in the network traffic based on a shape of the graph.

公开(公告)号：US20070147382A1

公开(公告)日：2007-06-28

申请号：US11635245

申请日：2006-12-07

申请人： Byoung Kim ,  Kwang Baik ,  Jin Oh ,  Jong Jang ,  Sung Sohn

发明人： Byoung Kim ,  Kwang Baik ,  Jin Oh ,  Jong Jang ,  Sung Sohn

IPC分类号： H04L12/56

CPC分类号： H04L12/5602

摘要： A method of storing a pattern matching policy and a method of controlling an alert message are provided. The method includes (a) generating a content structure as a sub-structure of a header combination structure of a stored traffic pattern which is a policy to be newly applied to a pattern matching apparatus; (b) determining whether a content of the stored traffic pattern is identical to a content of an original traffic pattern stored in advance in the pattern matching apparatus; (c) allocating a content index of the content of the original traffic pattern to the content of the stored traffic pattern if the content of the stored traffic pattern is identical to the content of the original traffic pattern; and (d) determining whether a header combination structure of the original traffic pattern comprises only one content structure or more than one content structure and allocating a header index of the header combination structure of the stored traffic pattern to the header combination structure of the original traffic pattern if the header combination structure of the original traffic pattern is found to comprise only one content structure. Accordingly, it is possible to efficiently use hardware memories with limited storage capacities and effectively perform a pattern matching function.

摘要翻译： 提供了一种存储模式匹配策略的方法和一种控制警报消息的方法。 该方法包括：（a）生成内容结构作为作为新应用于模式匹配装置的策略的存储的流量模式的头部组合结构的子结构; （b）确定存储的业务模式的内容是否与预先存储在模式匹配装置中的原始业务模式的内容相同; （c）如果存储的业务模式的内容与原始业务模式的内容相同，则将原始业务模式的内容的内容索引分配给所存储的业务模式的内容; 和（d）确定原始业务模式的报头组合结构是否仅包含一个内容结构或多于一个内容结构，并且将所存储的业务模式的报头组合结构的报头索引分配给原始业务的报头组合结构 如果发现原始流量模式的头组合结构仅包含一个内容结构，则模式。 因此，可以有效地使用具有有限存储容量的硬件存储器并且有效地执行模式匹配功能。

公开(公告)号：US20070130188A1

公开(公告)日：2007-06-07

申请号：US11634731

申请日：2006-12-06

申请人： Hwa Moon ,  Sungwon Yi ,  Jintae Oh ,  Jong Jang ,  Changhoon Kim

发明人： Hwa Moon ,  Sungwon Yi ,  Jintae Oh ,  Jong Jang ,  Changhoon Kim

IPC分类号： G06F7/00

CPC分类号： G06F21/64 ,  G06F7/02 ,  H04L9/3231 ,  H04L9/3236 ,  Y10S707/99942 ,  Y10S707/99943 ,  Y10S707/99944 ,  Y10S707/99945

摘要： Provided are a data hashing method, a data processing method, and a data processing system using a similarity-based hashing (SBH) algorithm in which the same hash value is calculated for the same data and the more similar data, the smaller difference in the generated hash values. The data hashing method includes receiving computerized data, and generating a hash value of the computerized data using the SBH algorithm in which two data are the same if calculated hash values are the same and two data are similar if the difference of calculated hash values is small. Therefore, a search, comparison, and classification of data can be quickly processed within a time complexity of O(1) or O(n) since the similarity/closeness of data content are quantified by that of the corresponding hash values.

摘要翻译： 提供了一种使用基于相似度的散列（SBH）算法的数据散列方法，数据处理方法和数据处理系统，其中针对相同数据计算相同的散列值，并且提供了更相似的数据， 生成的哈希值。 数据散列方法包括接收计算机数据，并使用SBH算法生成计算机化数据的哈希值，其中如果计算的散列值相同，则两个数据相同，并且如果计算的散列值的差异小则两个数据相似 。 因此，可以在O（1）或O（n）的时间复杂度内快速地处理数据的搜索，比较和分类，因为数据内容的相似/接近由相应散列值的相似度/接近度量化。

公开(公告)号：US20070016576A1

公开(公告)日：2007-01-18

申请号：US11397581

申请日：2006-04-03

申请人： Chi Jeong ,  Seung Han ,  Su Choi ,  Taek Nam ,  Jong Jang

发明人： Chi Jeong ,  Seung Han ,  Su Choi ,  Taek Nam ,  Jong Jang

IPC分类号： G06F17/30

CPC分类号： G06F21/6209 ,  G06F21/606 ,  G06F21/85 ,  G06Q10/00

摘要： A method and apparatus for blocking harmful multimedia information are provided. The apparatus for blocking harmful multimedia information includes: a harmful information classification model training unit analyzing multimedia training information whose grade of harmfulness is known in advance, extracting characteristics from the information, and then by applying machine training, generating a harmful information classification model; a harmful information grade classification unit determining a harmfulness grade of multimedia input information by using the harmful information classification model; and a harmful information blocking unit blocking the multimedia input information if the determined harmfulness grade of the multimedia input information is included in a preset range. According to the method and apparatus, the increase of databases containing harmful multimedia information can be prevented and the time taken for determining harmfulness can be reduced.

摘要翻译： 提供了一种用于阻止有害的多媒体信息的方法和装置。 用于阻止有害多媒体信息的装置包括：有害信息分类模型训练单元，分析事先知道有害度等级的多媒体训练信息，从信息中提取特征，然后应用机器训练，生成有害信息分类模型; 有害信息等级分类单位通过使用有害信息分类模型确定多媒体输入信息的有害等级; 以及如果所确定的多媒体输入信息的有害等级被包括在预设范围内，则阻止多媒体输入信息的有害信息阻挡单元。 根据该方法和装置，可以防止含有有害的多媒体信息的数据库的增加，并且可以减少确定有害性的时间。

公开(公告)号：US20060101261A1

公开(公告)日：2006-05-11

申请号：US11220887

申请日：2005-09-07

申请人： Sang Lee ,  Yong Jeon ,  Young Kim ,  Jeong Kim ,  Jong Jang

发明人： Sang Lee ,  Yong Jeon ,  Young Kim ,  Jeong Kim ,  Jong Jang

IPC分类号： H04L9/00

CPC分类号： H04L9/3226 ,  H04L63/083 ,  H04L63/1416

摘要： Provided are a security router system for a network and a method of authenticating a user who connects to the system. The security routing system includes: a plurality of physical link ports inputting/outputting packets; a physical layer matching unit transmitting/receiving packets to the physical link ports and generating a media access control (MAC) frame; and a network processor including routing processing means that establishes a transport route for input packets via the physical layer matching unit and processes routing protocols, packet forwarding means that forward the input packets to their destinations, intrusion detection means that classify the input packets based on a packet classification standard and determine whether the input packets are attacks from outside, and user authentication means that determine whether a user is authorized to connect to a router, thereby reducing expenses required to build a network while maintaining security in comparison with a conventional firewall or intrusion detection system, and increasing reliability and safety of the network by preventing harmful traffic since each router performs a network security function.

摘要翻译： 提供了一种用于网络的安全路由器系统和用于认证连接到系统的用户的方法。 安全路由系统包括：多个物理链路端口输入/输出分组; 物理层匹配单元向物理链路端口发送/接收分组并生成媒体接入控制（MAC）帧; 以及网络处理器，包括经由所述物理层匹配单元建立用于输入分组的传输路由并处理路由协议的路由处理装置，将所述输入分组转发到其目的地的分组转发装置，基于所述输入分组对所述输入分组进行分类的入侵检测装置 分组分类标准，并确定输入分组是否是外部的攻击，用户认证意味着确定用户是否被授权连接到路由器，从而与常规防火墙或入侵相比，降低了构建网络所需的开销，同时保持了安全性 检测系统，以及由于每个路由器执行网络安全功能，防止有害的流量，从而提高网络的可靠性和安全性。

公开(公告)号：US20060095758A1

公开(公告)日：2006-05-04

申请号：US11103510

申请日：2005-04-12

申请人： Geon Kim ,  Sun Lim ,  Sang Lee ,  Ki Kim ,  Jeong Kim ,  Jong Jang

发明人： Geon Kim ,  Sun Lim ,  Sang Lee ,  Ki Kim ,  Jeong Kim ,  Jong Jang

IPC分类号： H04L9/00

CPC分类号： H04L63/04 ,  H04L63/061

摘要： Provided are a method and apparatus for providing a security mechanism guaranteeing transparency at a transport layer. The method includes: receiving a data packet from an application program, and searching key information corresponding to the data packet in key information database; determining whether to request a key exchange module of an application layer for a new key negotiation according to a result obtained by searching key information; and performing encrypting/decrypting based on key information when the key exchange module stores key negotiation information obtained by the new key negotiation in a kernel. The apparatus encrypts/decrypts the data packet at the transport layer of the kernel, thereby providing the application program with security transparency, effectively controlling and making it easily expansible.