公开(公告)号：US08706866B2

公开(公告)日：2014-04-22

申请号：US12985728

申请日：2011-01-06

申请人： Sang Kyun Noh ,  Young Tae Yun ,  Dong Soo Kim ,  Yo Sik Kim ,  Yoon Jung Chung ,  Won Ho Kim ,  Yu Jung Han ,  Cheol Won Lee

发明人： Sang Kyun Noh ,  Young Tae Yun ,  Dong Soo Kim ,  Yo Sik Kim ,  Yoon Jung Chung ,  Won Ho Kim ,  Yu Jung Han ,  Cheol Won Lee

IPC分类号： G06F21/20 ,  G06F15/173

CPC分类号： H04L63/1458 ,  G06F21/44 ,  H04L67/146

摘要： Provided are a virtual server and method for identifying a zombie, and a sinkhole server and method for integratedly managing zombie information. The virtual server includes an authentication processing module authenticating a host using a CAPTCHA test and providing a cookie to the authenticated host when a web server access request message received from the host does not include a cookie, a cookie value verification module for extracting a cookie value from the web server access request message and verifying the extracted cookie value when the web server access request message includes a cookie, a web page access inducement module for inducing the host to access a web server when the cookie value is verified, and a zombie identification module for blocking access of the host when the cookie value is not verified, and identifying the host as a zombie when the number of blocking operations exceeds a threshold value.

摘要翻译： 提供了用于识别僵尸的虚拟服务器和方法，以及用于综合管理僵尸信息的宿窝服务器和方法。 虚拟服务器包括认证处理模块，使用CAPTCHA测试认证主机，并且当从主机接收到的web服务器访问请求消息不包括cookie时，向认证主机提供cookie，用于提取cookie值的cookie值验证模块 当web服务器访问请求消息包括cookie时，从Web服务器访问请求消息和验证提取的cookie值，当cookie值被验证时用于诱导主机访问web服务器的网页访问诱导模块，以及僵尸识别 当cookie值未被验证时阻止主机访问的模块，以及当阻塞操作次数超过阈值时将主机识别为僵尸。

公开(公告)号：US08955124B2

公开(公告)日：2015-02-10

申请号：US12985252

申请日：2011-01-05

申请人： Yo Sik Kim ,  Sang Kyun Noh ,  Yoon Jung Chung ,  Dong Soo Kim ,  Won Ho Kim ,  Yu Jung Han ,  Young Tae Yun ,  Ki Wook Sohn ,  Cheol Won Lee

发明人： Yo Sik Kim ,  Sang Kyun Noh ,  Yoon Jung Chung ,  Dong Soo Kim ,  Won Ho Kim ,  Yu Jung Han ,  Young Tae Yun ,  Ki Wook Sohn ,  Cheol Won Lee

IPC分类号： G06F21/00 ,  G06F21/56

CPC分类号： G06F21/566

摘要： Provided are an apparatus, system and method for detecting malicious code inserted into a normal process in disguise. The apparatus includes a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code.

摘要翻译： 提供了一种用于检测插入到伪装的正常进程中的恶意代码的装置，系统和方法。 该装置包括恶意代码检测模块，用于提取由计算机系统上运行的进程生成的线程的信息，以识别与该线程相关的代码，初步确定所识别的代码是否是恶意的，并提取初步确定为恶意的代码 ; 以及强制恶意代码终止模块，用于基于在虚拟环境中执行的提取的代码的行为的分析结果，最终将代码确定为恶意代码，并强制终止代码的执行。

公开(公告)号：US20110271343A1

公开(公告)日：2011-11-03

申请号：US12985252

申请日：2011-01-05

申请人： Yo Sik Kim ,  Sang Kyun Noh ,  Yoon Jung Chung ,  Dong Soo Kim ,  Won Ho Kim ,  Yu Jung Han ,  Young Tae Yun ,  Ki Wook Sohn ,  Cheol Won Lee

发明人： Yo Sik Kim ,  Sang Kyun Noh ,  Yoon Jung Chung ,  Dong Soo Kim ,  Won Ho Kim ,  Yu Jung Han ,  Young Tae Yun ,  Ki Wook Sohn ,  Cheol Won Lee

IPC分类号： G06F21/00

CPC分类号： G06F21/566

摘要： Provided are an apparatus, system and method for detecting malicious code inserted into a normal process in disguise. The apparatus includes a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code.

摘要翻译： 提供了一种用于检测插入到伪装的正常进程中的恶意代码的装置，系统和方法。 该装置包括恶意代码检测模块，用于提取由计算机系统上运行的进程生成的线程的信息，以识别与该线程相关的代码，初步确定所识别的代码是否是恶意的，并提取初步确定为恶意的代码 ; 以及强制恶意代码终止模块，用于基于在虚拟环境中执行的提取的代码的行为的分析结果，最终将代码确定为恶意代码，并强制终止代码的执行。

公开(公告)号：US20110270969A1

公开(公告)日：2011-11-03

申请号：US12985728

申请日：2011-01-06

申请人： Sang Kyun Noh ,  Young Tae Yun ,  Dong Soo Kim ,  Yo Sik Kim ,  Yoon Jung Chung ,  Won Ho Kim ,  Yu Jung Han ,  Cheol Won Lee

发明人： Sang Kyun Noh ,  Young Tae Yun ,  Dong Soo Kim ,  Yo Sik Kim ,  Yoon Jung Chung ,  Won Ho Kim ,  Yu Jung Han ,  Cheol Won Lee

IPC分类号： G06F21/20 ,  G06F15/173

CPC分类号： H04L63/1458 ,  G06F21/44 ,  H04L67/146

摘要： Provided are a virtual server and method for identifying a zombie, and a sinkhole server and method for integratedly managing zombie information. The virtual server includes an authentication processing module authenticating a host using a CAPTCHA test and providing a cookie to the authenticated host when a web server access request message received from the host does not include a cookie, a cookie value verification module for extracting a cookie value from the web server access request message and verifying the extracted cookie value when the web server access request message includes a cookie, a web page access inducement module for inducing the host to access a web server when the cookie value is verified, and a zombie identification module for blocking access of the host when the cookie value is not verified, and identifying the host as a zombie when the number of blocking operations exceeds a threshold value.

摘要翻译： 提供了用于识别僵尸的虚拟服务器和方法，以及用于综合管理僵尸信息的宿窝服务器和方法。 虚拟服务器包括认证处理模块，使用CAPTCHA测试认证主机，并且当从主机接收到的web服务器访问请求消息不包括cookie时，向认证主机提供cookie，用于提取cookie值的cookie值验证模块 当web服务器访问请求消息包括cookie时，从Web服务器访问请求消息和验证提取的cookie值，当cookie值被验证时用于诱导主机访问web服务器的网页访问诱导模块，以及僵尸识别 当cookie值未被验证时阻止主机访问的模块，以及当阻塞操作次数超过阈值时将主机识别为僵尸。

公开(公告)号：US08813226B2

公开(公告)日：2014-08-19

申请号：US12879691

申请日：2010-09-10

申请人： Yoon Jung Chung ,  Yo Sik Kim ,  Won Ho Kim ,  Dong Soo Kim ,  Sang Kyun Noh ,  Young Tae Yun ,  Cheol Won Lee

发明人： Yoon Jung Chung ,  Yo Sik Kim ,  Won Ho Kim ,  Dong Soo Kim ,  Sang Kyun Noh ,  Young Tae Yun ,  Cheol Won Lee

IPC分类号： G06F21/00 ,  G06F21/56 ,  G06F9/455 ,  G06F21/55 ,  H04L29/06

CPC分类号： G06F9/455 ,  G06F21/55 ,  G06F21/554 ,  G06F21/56 ,  G06F21/566 ,  G06F2212/151 ,  H04L29/06877 ,  H04L29/06891 ,  H04L29/06911 ,  H04L29/06918 ,  H04L63/14 ,  H04L63/1416 ,  H04L63/1441 ,  H04L2463/144

摘要： A defense method and device against intelligent bots using masqueraded virtual machine information are provided. The method includes performing global hooking on a virtual machine detection request transmitted by a process, determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process, and when the process is found to correspond to the malicious process as a result of the determination, determining that the process is generated by the intelligent bot, and returning the masqueraded virtual machine information to the process.

摘要翻译： 提供了使用伪装的虚拟机信息的针对智能机器人的防御方法和设备。 该方法包括对由进程发送的虚拟机检测请求执行全局挂接，根据预先存储的恶意进程信息确定发送虚拟机检测请求的进程是否对应于恶意进程，以及何时 发现过程与恶意进程对应，作为确定的结果，确定该进程是由智能机器人生成的，并将伪装的虚拟机信息返回到该进程。

公开(公告)号：US20100169973A1

公开(公告)日：2010-07-01

申请号：US12571825

申请日：2009-10-01

申请人： Ki Hong Kim ,  Ga Ram Jung ,  Hyun Cheol Jeong ,  Chae Tae Im ,  Seung Goo Ji ,  Sang Kyun Noh ,  Joo Hyung Oh

发明人： Ki Hong Kim ,  Ga Ram Jung ,  Hyun Cheol Jeong ,  Chae Tae Im ,  Seung Goo Ji ,  Sang Kyun Noh ,  Joo Hyung Oh

IPC分类号： G06F11/00

CPC分类号： G06F21/566

摘要： There is provided a system and method for detecting unknown malicious code by analyzing kernel based system actions. More particularly, the system and method provides an advantage of actively countering unknown malicious code or viruses by monitoring kernel based system events in real time, organizing action data based on the collected event data, determining whether the action data corresponds to predetermined malicious actions, backtracking a subject of a malicious action when the action data is determined to correspond to the malicious action, and processing the malicious action.

摘要翻译： 提供了一种通过分析基于内核的系统动作来检测未知恶意代码的系统和方法。 更具体地说，系统和方法提供了通过基于所收集的事件数据来监视基于内核的系统事件来主动对抗未知恶意代码或病毒的优点，确定动作数据是否对应于预定的恶意动作，回溯 当确定动作数据以对应于恶意动作时的恶意动作的主题，以及处理恶意动作。