公开(公告)号：US07596810B2

公开(公告)日：2009-09-29

申请号：US11081682

申请日：2005-03-17

申请人： Jin Oh Kim ,  Seon Gyoung Sohn ,  Hyochan Bang ,  Soo Hyung Lee ,  Dongyoung Kim ,  Beom Hwan Chang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Jin Oh Kim ,  Seon Gyoung Sohn ,  Hyochan Bang ,  Soo Hyung Lee ,  Dongyoung Kim ,  Beom Hwan Chang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G08B23/00 ,  G06F15/173

CPC分类号： H04L63/1416 ,  G06F21/552 ,  G06F21/85 ,  H04L63/1441

摘要： Provided is an apparatus for detecting a network attack situation. The apparatus includes an alarm receiver receiving a plurality of alarms raised in a network to which the alarm receiver is connected, converting the alarms into predetermined alarm data, and outputting the alarm data; an alarm processor analyzing an attack situation in the network based on attributes of the alarm data and a number of times that the alarm data is generated; a memory storing basic data needed to analyze the state of the network and providing the basic data to the alarm processor; and an interface transmitting the result of the analysis by the alarm processor to an external device, receiving a predetermined critical value from the external device, which is a basis for determining the occurrence of the attack situation, and outputting the critical value to the alarm processor such that the alarm processor can store the critical value in the memory. Equal numbers of hash engines and detection engines for processing the alarms in the network to the number of data groups classified as network attack situations are formed in a line. Therefore, a network attack situation can be detected in real time based on a great number of alarms indicating intrusion detection.

摘要翻译： 提供了一种用于检测网络攻击情况的装置。 该装置包括接收在连接有报警接收器的网络中升起的多个报警的报警接收机，将报警转换成预定报警数据，并输出报警数据; 报警处理器根据报警数据的属性和产生报警数据的次数分析网络中的攻击情况; 存储器，用于存储分析网络状态并将基本数据提供给报警处理器所需的基本数据; 以及将所述报警处理器的分析结果发送到外部设备的接口，从外部设备接收预定的临界值，所述临时值是用于确定所述攻击情况的发生的基础，并且将所述临界值输出到所述报警处理器 使得报警处理器可以将临界值存储在存储器中。 在网络中形成等同数量的散列引擎和检测引擎，用于将网络中的警报处理为分类为网络攻击情况的数据组的数量。 因此，可以基于大量表示入侵检测的告警来实时检测网络攻击情况。

公开(公告)号：US20090094699A1

公开(公告)日：2009-04-09

申请号：US12275906

申请日：2008-11-21

申请人： Jin Oh KIM ,  Seon Gyoung Sohn ,  Hyochan Bang ,  Soo Hyung Lee ,  Dongyoung Kim ,  Beom Hwan Chang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Jin Oh KIM ,  Seon Gyoung Sohn ,  Hyochan Bang ,  Soo Hyung Lee ,  Dongyoung Kim ,  Beom Hwan Chang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F15/18 ,  G08B23/00

CPC分类号： H04L63/1416 ,  G06F21/552 ,  G06F21/85 ,  H04L63/1441

摘要： Provided is an apparatus for detecting a network attack situation. The apparatus includes an alarm receiver receiving a plurality of alarms raised in a network to which the alarm receiver is connected, converting the alarms into predetermined alarm data, and outputting the alarm data; an alarm processor analyzing an attack situation in the network based on attributes of the alarm data and a number of times that the alarm data is generated; a memory storing basic data needed to analyze the state of the network and providing the basic data to the alarm processor; and an interface transmitting the result of the analysis by the alarm processor to an external device, receiving a predetermined critical value from the external device, which is a basis for determining the occurrence of the attack situation, and outputting the critical value to the alarm processor such that the alarm processor can store the critical value in the memory. Equal numbers of hash engines and detection engines for processing the alarms in the network to the number of data groups classified as network attack situations are formed in a line. Therefore, a network attack situation can be detected in real time based on a great number of alarms indicating intrusion detection.

摘要翻译： 提供了一种用于检测网络攻击情况的装置。 该装置包括接收在连接有报警接收器的网络中升起的多个报警的报警接收机，将报警转换成预定报警数据，并输出报警数据; 报警处理器根据报警数据的属性和产生报警数据的次数分析网络中的攻击情况; 存储器，用于存储分析网络状态并将基本数据提供给报警处理器所需的基本数据; 以及将所述报警处理器的分析结果发送到外部设备的接口，从外部设备接收预定的临界值，所述临时值是用于确定所述攻击情况的发生的基础，并且将所述临界值输出到所述报警处理器 使得报警处理器可以将临界值存储在存储器中。 在网络中形成等同数量的散列引擎和检测引擎，用于将网络中的警报处理为分类为网络攻击情况的数据组的数量。 因此，可以基于大量表示入侵检测的告警来实时检测网络攻击情况。

公开(公告)号：US07787394B2

公开(公告)日：2010-08-31

申请号：US11599909

申请日：2006-11-15

申请人： Beom Hwan Chang ,  Jung Chan Na ,  Geon Lyang Kim ,  Dong Young Kim ,  Jin Oh Kim ,  Hyun Joo Kim ,  Hyo Chan Bang ,  Soo Hyung Lee ,  Seon Gyoung Sohn ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Beom Hwan Chang ,  Jung Chan Na ,  Geon Lyang Kim ,  Dong Young Kim ,  Jin Oh Kim ,  Hyun Joo Kim ,  Hyo Chan Bang ,  Soo Hyung Lee ,  Seon Gyoung Sohn ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： H04L12/66 ,  G01R31/08 ,  H04W36/00

CPC分类号： H04L43/045 ,  H04L43/0817 ,  H04L43/16

摘要： A network status display device using a traffic flow-radar is provided. The network status display device includes: a traffic feature extractor calculating flow occupancy rates for total flows, micro-flows and macro-flows with respect to each of a plurality of traffic features with reference to traffic information for each traffic feature such as a network address, a port, a transmitting/receiving host address or a protocol collected by an external traffic information collector, and storing the calculation result; a traffic status display unit displaying the flow occupancy rates for each traffic feature calculated and stored in the traffic feature extractor on a radar with dots for each traffic feature; and a traffic anomaly determination unit determining whether a network status is abnormal with reference to the radar for each traffic feature, detecting and reporting the type of the abnormal network status and harmful or abnormal traffic that generates the abnormal network status, when the abnormal status occurs.

摘要翻译： 提供了使用交通流量雷达的网络状态显示装置。 网络状态显示装置包括：业务特征提取器，参考每个业务特征（例如网络地址）的业务信息来计算关于多个业务特征中的每一个的总流量，微流量和宏流量的流量占用率 ，端口，发送/接收主机地址或由外部交通信息收集器收集的协议，并存储计算结果; 交通状态显示单元，其显示针对每个交通特征点的雷达上计算并存储在交通特征提取器中的每个交通特征的流量占用率; 以及交通异常判定单元，针对每个流量特征，参照雷达确定网络状态是否异常，检测和报告异常网络状态的类型以及产生异常网络状态的有害或异常流量，当发生异常状态时 。

公开(公告)号：US20100150008A1

公开(公告)日：2010-06-17

申请号：US12530193

申请日：2008-03-07

申请人： Seon Gyoung Sohn ,  Chi Yoon Jeong ,  Beom Hwan Chang ,  Soo Hyung Lee ,  Hyo Chan Bang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Won Joo Park ,  Jong Ho Ryu ,  Jong Hyun Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Seon Gyoung Sohn ,  Chi Yoon Jeong ,  Beom Hwan Chang ,  Soo Hyung Lee ,  Hyo Chan Bang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Won Joo Park ,  Jong Ho Ryu ,  Jong Hyun Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： H04L12/26

CPC分类号： H04L41/22 ,  H04L43/045 ,  H04L63/1408

摘要： There are provided a network state display apparatus and method capable of easily determining a present network security state in real time by analyzing an abnormality and harmful traffic deteriorating performance of a network in software by using a result of combining essential characteristics of traffic, a distinct dispersion, and an entropy and displaying the network state to be intuitionally recognized, the method including selecting and combining three of a source address, a source port, a destination address, and a destination port of collected traffic and calculating a distinct dispersion and an entropy of a residual one therefrom; displaying the calculated distinct dispersion and entropy on a security radar where the distinct dispersion and the entropy are assigned to an angle and a radius; determining whether a network state is abnormal, based on a result displayed on the security radar; and detecting reporting detailed information on abnormal traffic causing the abnormal network state.

摘要翻译： 提供了一种网络状态显示装置和方法，其能够通过使用组合业务的基本特征的结果分析软件中的网络的异常和有害的业务恶化的性能来实时地容易地确定当前的网络安全状态，不同的分散 以及熵并显示要直观识别的网络状态，所述方法包括选择和组合收集的业务的源地址，源端口，目的地地址和目的地端口中的三个，并计算不同的色散和熵 剩余的一个; 在安全雷达上显示计算出的不同色散和熵，其中明确的色散和熵分配给角度和半径; 基于安全雷达上显示的结果，确定网络状态是否异常; 检测异常网络状态异常报告的详细信息。

公开(公告)号：US20100100619A1

公开(公告)日：2010-04-22

申请号：US12517091

申请日：2007-10-24

申请人： Beom Hwan Chang ,  Chi Yoon Jeong ,  Seon Gyoung Sohn ,  Soo Hyung Lee ,  Hyo Chan Bang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Won Joo Park ,  Jong Ho Ryu ,  Jong Hyun Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Beom Hwan Chang ,  Chi Yoon Jeong ,  Seon Gyoung Sohn ,  Soo Hyung Lee ,  Hyo Chan Bang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Won Joo Park ,  Jong Ho Ryu ,  Jong Hyun Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F11/32

CPC分类号： H04L41/28 ,  H04L41/0631 ,  H04L41/22 ,  H04L63/1425 ,  H04L63/20

摘要： There are provided a network security state visualization device and method, the device including: a security event collector collecting original security event information from network security apparatuses; a security event analyzer analyzing the original security event information collected by the security event collector and extracting characteristic data corresponding to a security event; and a three-dimensional visualization display unit visualizing a correlation between the characteristic data extracted by the security event analyzer as a three-dimensional screen to be displayed.

摘要翻译： 提供了网络安全状态可视化设备和方法，该设备包括：安全事件收集器，从网络安全设备收集原始安全事件信息; 分析安全事件收集器收集的原始安全事件信息并提取对应于安全事件的特征数据的安全事件分析器; 以及三维可视化显示单元，将由安全事件分析器提取的特征数据之间的相关性可视化为要显示的三维屏幕。

公开(公告)号：US08019865B2

公开(公告)日：2011-09-13

申请号：US12517091

申请日：2007-10-24

申请人： Beom Hwan Chang ,  Chi Yoon Jeong ,  Seon Gyoung Sohn ,  Soo Hyung Lee ,  Hyo Chan Bang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Won Joo Park ,  Jong Ho Ryu ,  Jong Hyun Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Beom Hwan Chang ,  Chi Yoon Jeong ,  Seon Gyoung Sohn ,  Soo Hyung Lee ,  Hyo Chan Bang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Won Joo Park ,  Jong Ho Ryu ,  Jong Hyun Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F15/173

CPC分类号： H04L41/28 ,  H04L41/0631 ,  H04L41/22 ,  H04L63/1425 ,  H04L63/20

摘要： There are provided a network security state visualization device and method, the device including: a security event collector collecting original security event information from network security apparatuses; a security event analyzer analyzing the original security event information collected by the security event collector and extracting characteristic data corresponding to a security event; and a three-dimensional visualization display unit visualizing a correlation between the characteristic data extracted by the security event analyzer as a three-dimensional screen to be displayed.

摘要翻译： 提供了网络安全状态可视化设备和方法，该设备包括：安全事件收集器，从网络安全设备收集原始安全事件信息; 分析安全事件收集器收集的原始安全事件信息并提取对应于安全事件的特征数据的安全事件分析器; 以及三维可视化显示单元，将由安全事件分析器提取的特征数据之间的相关性可视化为要显示的三维屏幕。

公开(公告)号：US07849187B2

公开(公告)日：2010-12-07

申请号：US11527850

申请日：2006-09-26

申请人： Beom Hwan Chang ,  Jung Chan Na ,  Geon Lyang Kim ,  Dong Young Kim ,  Jin Oh Kim ,  Hyun Joo Kim ,  Hyo Chan Bang ,  Soo Hyung Lee ,  Seon Gyoung Shon ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Beom Hwan Chang ,  Jung Chan Na ,  Geon Lyang Kim ,  Dong Young Kim ,  Jin Oh Kim ,  Hyun Joo Kim ,  Hyo Chan Bang ,  Soo Hyung Lee ,  Seon Gyoung Shon ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F15/16

CPC分类号： H04L43/028 ,  H04L43/062 ,  H04L43/16 ,  H04L63/1408

摘要： A network status display device using a traffic pattern map is provided. The device includes: a traffic feature extractor extracting a port number of a port having the maximum occupancy of micro-flows and macro-flows for each network address section and host address section with reference to traffic information collected by an external traffic information collector, calculating and storing an occupancy rate of the port; a traffic status display unit making a network traffic pattern map expressed by destination-source network addresses and a host traffic pattern map expressed by destination-source host addresses and displaying the port information stored in the traffic feature extractor on the network traffic pattern map and the host traffic pattern map; and a traffic anomaly determination unit determining whether a network status is abnormal with reference to the network traffic pattern map and the host traffic pattern map and detecting and reporting a harmful or abnormal traffic which causes the abnormal network status. The device can determine whether the anomaly deteriorating the network performance exists and can easily and quickly detect the harmful or abnormal traffic which causes the anomaly by the use of the port information of the port having the maximum occupancy of the micro-flows and the macro-flows for each network address section and each host address section.

摘要翻译： 提供了使用业务模式图的网络状态显示设备。 该设备包括：流量特征提取器，参考由外部交通信息收集器收集的交通信息，提取每个网络地址部分和主机地址部分具有最大占用微流量和宏流量的端口的端口号，计算 并存储所述端口的占用率; 形成由目的地源网络地址表示的网络流量模式图的流量状态显示单元和由目的地 - 源主机地址表示的主机流量模式图，并且在网络流量模式图上显示存储在流量特征提取器中的端口信息，并且 主机流量模式图; 以及流量异常判定单元，基于网络流量模式图和主机流量模式图来判断网络状态是否异常，并检测并报告导致异常网络状态的有害或异常流量。 该设备可以确定异常是否存在网络性能恶化，并可以通过使用具有微流量最大占用端口的端口信息和宏观流量来轻松快速地检测导致异常的有害或异常流量， 每个网络地址部分和每个主机地址部分的流程。

公开(公告)号：US20110016208A1

公开(公告)日：2011-01-20

申请号：US12667130

申请日：2007-11-19

申请人： Chi Yoon Jeong ,  Beom Hwan Chang ,  Seon Gyoung Sohn ,  Geon Lyang Kim ,  Jong Hyun Kim ,  Jong Ho Ryu ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Chi Yoon Jeong ,  Beom Hwan Chang ,  Seon Gyoung Sohn ,  Geon Lyang Kim ,  Jong Hyun Kim ,  Jong Ho Ryu ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F15/173

CPC分类号： H04L63/1416 ,  G06Q10/06

摘要： There are provided an apparatus and method for sampling a security event based on contents of the security event, the apparatus including: a security event accumulation module collecting security events occurring in a network system and storing the security events for each type according to contents of the security event; a security event analysis module calculating distribution of the security events for each type by analyzing the stored security events; and a security event extraction module sampling the stored security events according to the calculated distribution of the security events for each type. The apparatus and method may improve speed of visualization of a security event and a security event analysis apparatus and may increase accuracy thereof.

摘要翻译： 提供了一种基于安全事件的内容对安全事件进行采样的装置和方法，该装置包括：安全事件累积模块，其收集网络系统中发生的安全事件，并根据所述安全事件的内容存储每种类型的安全事件 安全事件; 安全事件分析模块，通过分析存储的安全事件来计算每种类型的安全事件的分布; 并且安全事件提取模块根据计算出的每种类型的安全事件的分布来对存储的安全事件进行采样。 该装置和方法可以提高安全事件和安全事件分析装置的可视化速度并且可以提高其精度。

公开(公告)号：US08140671B2

公开(公告)日：2012-03-20

申请号：US12667130

申请日：2007-11-19

申请人： Chi Yoon Jeong ,  Beom Hwan Chang ,  Seon Gyoung Sohn ,  Geon Lyang Kim ,  Jong Hyun Kim ,  Jong Ho Ryu ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Chi Yoon Jeong ,  Beom Hwan Chang ,  Seon Gyoung Sohn ,  Geon Lyang Kim ,  Jong Hyun Kim ,  Jong Ho Ryu ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F15/173

CPC分类号： H04L63/1416 ,  G06Q10/06

摘要： There are provided an apparatus and method for sampling a security event based on contents of the security event, the apparatus including: a security event accumulation module collecting security events occurring in a network system and storing the security events for each type according to contents of the security event; a security event analysis module calculating distribution of the security events for each type by analyzing the stored security events; and a security event extraction module sampling the stored security events according to the calculated distribution of the security events for each type. The apparatus and method may improve speed of visualization of a security event and a security event analysis apparatus and may increase accuracy thereof.

摘要翻译： 提供了一种基于安全事件的内容对安全事件进行采样的装置和方法，该装置包括：安全事件累积模块，其收集网络系统中发生的安全事件，并根据所述安全事件的内容存储每种类型的安全事件 安全事件; 安全事件分析模块，通过分析存储的安全事件来计算每种类型的安全事件的分布; 并且安全事件提取模块根据计算出的每种类型的安全事件的分布来对存储的安全事件进行采样。 该装置和方法可以提高安全事件和安全事件分析装置的可视化速度并且可以提高其精度。

公开(公告)号：US08307441B2

公开(公告)日：2012-11-06

申请号：US12669633

申请日：2007-11-21

申请人： Jong Hyun Kim ,  Geon Lyang Kim ,  Seon Gyoung Sohn ,  Beom Hwan Chang ,  Chi Yoon Jeong ,  Jong Ho Ryu ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Jong Hyun Kim ,  Geon Lyang Kim ,  Seon Gyoung Sohn ,  Beom Hwan Chang ,  Chi Yoon Jeong ,  Jong Ho Ryu ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F11/34

CPC分类号： H04L45/00 ,  H04L45/12 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1441 ,  H04L2463/146

摘要： There are provided a system and method for tracing back an attacker by using centroid decomposition technique, the system including: a log data input module collecting log data of an intrusion alarm from an intrusion detection system; a centroid node detection module generating a shortest path tree by applying a shortest path algorithm to network router connection information collected by a network administration server, detecting a centroid node by applying centroid decomposition technique removing a leaf-node to the shortest path tree, and generating a centroid tree whose node of each level is the detected centroid node; and a traceback processing module requesting log data of a router matched with the node of each level of the centroid tree, and tracing back a router identical to the log data of the collected intrusion alarm as a router connected to a source of an attacker by comparing the log data of the router with the log data of the collected intrusion alarm. According to the system and method, an attacker causing a security intrusion event may be quickly detected, a load on the system is reduced, and a passage host exposed to a danger or having weaknesses may be easily recognized, thereby easily coping with an attack.

摘要翻译： 提供了一种通过使用质心分解技术跟踪攻击者的系统和方法，该系统包括：日志数据输入模块，从入侵检测系统收集入侵警报的日志数据; 质心节点检测模块，通过对网络管理服务器收集的网络路由器连接信息应用最短路径算法，生成最短路径树，通过应用质心分解技术检测质心节点，去除叶节点到最短路径树，并生成 每个级别的节点是检测到的质心节点的质心树; 以及回溯处理模块，请求与质心树的每个级别的节点匹配的路由器的日志数据，并且通过比较来跟踪与收集的入侵警报器的日志数据相同的路由器作为连接到攻击者的源的路由器 路由器的日志数据与收集的入侵报警的日志数据。 根据系统和方法，可以快速地检测到导致安全入侵事件的攻击者，系统上的负载减少，并且易于识别暴露于危险或具有弱点的通道主机，从而容易地应对攻击。