公开(公告)号：US20060123031A1

公开(公告)日：2006-06-08

申请号：US11244188

申请日：2005-10-05

申请人： Seung Shin ,  Jin Oh ,  Ki Kim ,  Jong Jang ,  Sung Sohn

发明人： Seung Shin ,  Jin Oh ,  Ki Kim ,  Jong Jang ,  Sung Sohn

IPC分类号： G06F17/00 ,  G06F7/00

CPC分类号： H04L69/22 ,  G06F16/9017 ,  H04L63/0227

摘要： A prefiltering method and apparatus for prefiltering a data stream for pattern matching are provided. The prefiltering method includes: receiving a data stream; loading previously stored filtering policies; filtering the data stream according to the loaded filtering policies and generating additional filtering information regarding the filtered data stream; determining whether to transmit the data stream to a search engine apparatus that performs pattern matching based on the additional filtering information; and transmitting the data stream to the search engine apparatus if the data stream is determined as requiring transmission. Therefore, it is possible to provide a high-performance pattern matching system that can achieve a high precision of pattern matching.

摘要翻译： 提供了一种用于预过滤数据流以进行模式匹配的预过滤方法和装置。 预过滤方法包括：接收数据流; 加载以前存储的过滤策略; 根据所加载的过滤策略对数据流进行过滤，并产生关于过滤的数据流的附加过滤信息; 确定是否将数据流发送到基于附加过滤信息执行模式匹配的搜索引擎装置; 以及如果数据流被确定为需要传输，则将数据流发送到搜索引擎装置。 因此，可以提供能够实现图案匹配的高精度的高性能图案匹配系统。

公开(公告)号：US20070094178A1

公开(公告)日：2007-04-26

申请号：US11453954

申请日：2006-06-14

申请人： Seung Shin ,  Jin Oh ,  Jong Jang ,  Sung Sohn

发明人： Seung Shin ,  Jin Oh ,  Jong Jang ,  Sung Sohn

IPC分类号： G06F15/18

CPC分类号： G06F21/56 ,  G06F17/30949 ,  G06F21/55 ,  G06F21/567 ,  G06K9/62 ,  Y10S707/99936

摘要： A method and apparatus for storing pattern matching data and a pattern matching method using the method and apparatus are provided. The method of storing original data for pattern matching in a pattern matching apparatus includes: dividing the original data into segments of a predetermined size; performing a hash operation on each of the divided segments; determining whether or not the hash operation value of each segment causes a hash collision with a hash operation value stored in a first external memory disposed outside the pattern matching apparatus; and controlling the hash operation value of each segment determined not to cause a hash collision to be stored in the first external memory. According to the method and apparatus, the original data desired to be used for pattern matching can be stored at a faster speed in a pattern matching data storing apparatus.

摘要翻译： 提供一种用于存储模式匹配数据的方法和装置以及使用该方法和装置的模式匹配方法。 在模式匹配装置中存储用于模式匹配的原始数据的方法包括：将原始数据划分成预定大小的段; 对每个分割的段执行散列操作; 确定每个段的散列操作值是否与存储在布置在模式匹配装置外部的第一外部存储器中的散列操作值引起哈希冲突; 并且将被确定为不引起散列冲突的每个段的散列操作值控制在第一外部存储器中。 根据该方法和装置，可以在模式匹配数据存储装置中以更快的速度存储期望用于模式匹配的原始数据。

公开(公告)号：US20070147382A1

公开(公告)日：2007-06-28

申请号：US11635245

申请日：2006-12-07

申请人： Byoung Kim ,  Kwang Baik ,  Jin Oh ,  Jong Jang ,  Sung Sohn

发明人： Byoung Kim ,  Kwang Baik ,  Jin Oh ,  Jong Jang ,  Sung Sohn

IPC分类号： H04L12/56

CPC分类号： H04L12/5602

摘要： A method of storing a pattern matching policy and a method of controlling an alert message are provided. The method includes (a) generating a content structure as a sub-structure of a header combination structure of a stored traffic pattern which is a policy to be newly applied to a pattern matching apparatus; (b) determining whether a content of the stored traffic pattern is identical to a content of an original traffic pattern stored in advance in the pattern matching apparatus; (c) allocating a content index of the content of the original traffic pattern to the content of the stored traffic pattern if the content of the stored traffic pattern is identical to the content of the original traffic pattern; and (d) determining whether a header combination structure of the original traffic pattern comprises only one content structure or more than one content structure and allocating a header index of the header combination structure of the stored traffic pattern to the header combination structure of the original traffic pattern if the header combination structure of the original traffic pattern is found to comprise only one content structure. Accordingly, it is possible to efficiently use hardware memories with limited storage capacities and effectively perform a pattern matching function.

摘要翻译： 提供了一种存储模式匹配策略的方法和一种控制警报消息的方法。 该方法包括：（a）生成内容结构作为作为新应用于模式匹配装置的策略的存储的流量模式的头部组合结构的子结构; （b）确定存储的业务模式的内容是否与预先存储在模式匹配装置中的原始业务模式的内容相同; （c）如果存储的业务模式的内容与原始业务模式的内容相同，则将原始业务模式的内容的内容索引分配给所存储的业务模式的内容; 和（d）确定原始业务模式的报头组合结构是否仅包含一个内容结构或多于一个内容结构，并且将所存储的业务模式的报头组合结构的报头索引分配给原始业务的报头组合结构 如果发现原始流量模式的头组合结构仅包含一个内容结构，则模式。 因此，可以有效地使用具有有限存储容量的硬件存储器并且有效地执行模式匹配功能。

公开(公告)号：US20060123480A1

公开(公告)日：2006-06-08

申请号：US11088975

申请日：2005-03-24

申请人： Jintae Oh ,  Seung Shin ,  Ki Kim ,  Jong Jang ,  Sung Sohn

发明人： Jintae Oh ,  Seung Shin ,  Ki Kim ,  Jong Jang ,  Sung Sohn

IPC分类号： G06F12/14

CPC分类号： H04L63/1408

摘要： The present invention relates to a real-time network attack pattern detection system and a method thereof in which a common pattern is detected in real time from packets, which are suspected to be a network attack such as Worm, to effectively block the attack. The system includes: a suspicious packet detector for classifying a suspicious attack packet from all input packets; a first data delaying unit for receiving the input packet from the suspicious packet detector to output an one-clock delayed data; a second data delaying unit for receiving an output signal from the first data delaying unit to output an one-clock delayed data; a hash key generator for receiving an output data of the suspicious packet detector, an output data of the first data delaying unit and an output data of the second data delaying unit to generate a hash key; a hash table for storing a lookup result obtained by the hash key generated from the hash key generator; and an existence & hit checker for checking the lookup result of the hash table.

摘要翻译： 本发明涉及一种实时网络攻击模式检测系统及其方法，其中从怀疑是诸如蠕虫的网络攻击的分组实时检测到公共模式，以有效地阻止攻击。 该系统包括：可疑包检测器，用于从所有输入分组中分类可疑攻击包; 第一数据延迟单元，用于从可疑分组检测器接收输入分组以输出一个时钟延迟的数据; 第二数据延迟单元，用于从第一数据延迟单元接收输出信号以输出一个时钟延迟的数据; 散列密钥发生器，用于接收可疑包检测器的输出数据，第一数据延迟单元的输出数据和第二数据延迟单元的输出数据以产生散列密钥; 哈希表，用于存储通过从所述散列密钥发生器生成的散列密钥获得的查找结果; 以及用于检查哈希表的查找结果的存在和命中检查器。

公开(公告)号：US20060085855A1

公开(公告)日：2006-04-20

申请号：US11023384

申请日：2004-12-29

申请人： Seung Shin ,  Jintae Oh ,  Ki Kim ,  Jong Jang ,  Sung Sohn

发明人： Seung Shin ,  Jintae Oh ,  Ki Kim ,  Jong Jang ,  Sung Sohn

IPC分类号： G06F12/14

CPC分类号： H04L63/1416 ,  H04L63/12 ,  H04L69/22

摘要： The present invention relates to a network intrusion detection and prevention system. The system includes: a signature based detecting device; an anomaly behavior based detecting device; and a new signature creating and verifying device disposed between the signature based detecting device and the anomaly behavior based detecting device, wherein if the anomaly behavior based detecting device detects network-attack-suspicious packets, the new signature creating and verifying device collects and searches the detected suspicious packets for common information, and then creates a new signature on the basis of the searched common information and at the same time, verifies whether or not the created new signature is applicable to the signature based detecting device, and then registers the created new signature to the signature based detecting device if it is determined that the created new signature is applicable.

公开(公告)号：US20050141513A1

公开(公告)日：2005-06-30

申请号：US10993606

申请日：2004-11-19

申请人： Jintae Oh ,  Seung Shin ,  Ki Kim ,  Jong Jang ,  Sung Sohn

发明人： Jintae Oh ,  Seung Shin ,  Ki Kim ,  Jong Jang ,  Sung Sohn

IPC分类号： H04L12/56

CPC分类号： H04L45/00 ,  H04L45/54 ,  H04L45/62

摘要： An apparatus and method for performing packet header lookup based on sequential lookup is provided. A header analyzer separates a header from a packet received via a network and outputs a lookup sequence. A unit lookup unit looks up matching the header combination rules with each field to be analyzed and input from the header analyzer based on the lookup sequence input from the header analyzer and outputs a match signal and a match address. A rule combination memory stores identification information for the header combination rules. A sequence combination memory stores lookup sequence information and sequence combination information. A rule combination unit generates match results based on the match signal input from the unit lookup unit and data read from the rule combination memory and the sequence combination memory.

摘要翻译： 提供了一种用于基于顺序查找来执行分组报头查找的装置和方法。 报头分析器将报头与经由网络接收的分组分离，并输出查找序列。 单元查找单元根据从标题分析器输入的查找序列查找与标题组合规则与要分析的每个字段和从标题分析器输入的匹配，并输出匹配信号和匹配地址。 规则组合存储器存储标题组合规则的标识信息。 序列组合存储器存储查找序列信息和序列组合信息。 规则组合单元基于从单元查找单元输入的匹配信号和从规则组合存储器和序列组合存储器读取的数据产生匹配结果。

公开(公告)号：US20070124815A1

公开(公告)日：2007-05-31

申请号：US11484257

申请日：2006-07-10

申请人： Kwang Baik ,  Byoung Kim ,  Jin Oh ,  Jong Jang ,  Sung Sohn

发明人： Kwang Baik ,  Byoung Kim ,  Jin Oh ,  Jong Jang ,  Sung Sohn

IPC分类号： G06F12/14

CPC分类号： H04L63/1416

摘要： A method and apparatus for storing an intrusion rule are provided. The method stores a new intrusion rule in an intrusion detection system having already stored intrusion rules, and includes: generating combinations of divisions capable of dividing the new intrusion rule into a plurality of partial intrusion rules; calculating the frequency of hash value collisions between each of the generated division combinations and the already stored intrusion rules; dividing the new intrusion rule according to the division combination which has the lowest calculated frequency of hash value collisions; and storing the divided new intrusion rule in a corresponding position of the intrusion detection system. According to the method and apparatus, the size of the storage unit occupied by the intrusion rule can be reduced, and by performing pattern matching, the performance of the intrusion detection system can be enhanced.

摘要翻译： 提供了一种用于存储入侵规则的方法和装置。 该方法在已经存储了入侵规则的入侵检测系统中存储新的入侵规则，并且包括：生成能够将新的入侵规则划分成多个部分入侵规则的分割组合; 计算每个生成的分割组合与已经存储的入侵规则之间的散列值冲突的频率; 根据哈希值碰撞计算频率最低的划分组合划分新的入侵规则; 并将分割的新入侵规则存储在入侵检测系统的相应位置。 根据该方法和装置，可以减少入侵规则占用的存储单元的大小，通过执行模式匹配，能够提高入侵检测系统的性能。

公开(公告)号：US20060198375A1

公开(公告)日：2006-09-07

申请号：US11269340

申请日：2005-11-07

申请人： Kwang Baik ,  Jin Oh ,  Ki Kim ,  Jong Jang ,  Sung Sohn

发明人： Kwang Baik ,  Jin Oh ,  Ki Kim ,  Jong Jang ,  Sung Sohn

IPC分类号： H04J1/16 ,  H04L12/56

CPC分类号： H04L63/1416 ,  H04L69/16 ,  H04L69/166

摘要： A method and apparatus for pattern matching using packet reassembly are provided. The pattern matching method using packet reassembly includes: extracting serial information in relation to a current input packet; determining whether or not pattern matching result information in relation to one or more previous packets and/or subsequent packets on the basis of the serial number of the current input packet is already stored; loading the pattern matching result information in relation to the previous packets and/or subsequent packets; and reassembling the loaded pattern matching result information in relation to the previous packets and/or subsequent packets and the current input packet and performing pattern matching with attack patterns which are already stored. Accordingly, by using packet reassembly, a method and apparatus for pattern matching capable of reducing memory usage without lowering the speed can be provided

摘要翻译： 提供了一种使用分组重组进行模式匹配的方法和装置。 使用分组重组的模式匹配方法包括：提取与当前输入分组相关的串行信息; 基于当前输入分组的序列号来确定与一个或多个先前分组和/或后续分组相关的模式匹配结果信息是否已被存储; 加载与先前分组和/或后续分组相关的模式匹配结果信息; 并重新组合与先前分组和/或后续分组和当前输入分组相关的加载模式匹配结果信息，并且与已经存储的攻击模式执行模式匹配。 因此，通过使用分组重组，可以提供能够在不降低速度的情况下减少存储器使用的用于模式匹配的方法和装置

公开(公告)号：US20050141423A1

公开(公告)日：2005-06-30

申请号：US11004426

申请日：2004-12-03

申请人： Jong Lee ,  Jintae Oh ,  Jong Jang ,  Sung Sohn

发明人： Jong Lee ,  Jintae Oh ,  Jong Jang ,  Sung Sohn

IPC分类号： H04L12/28 ,  H04L12/24 ,  H04L12/26

CPC分类号： H04L41/0896 ,  H04L43/026

摘要： A method of and an apparatus for sorting data traffic based on a predetermined priority such as a bandwidth and a liveliness is provided. The method includes operations of: receiving the data flows; sorting the data flows based on bandwidth by defining a plurality of bandwidth ranges and classifying the sorted data flows according to the bandwidth ranges to which the bandwidth of each data flow belongs; and sorting the classified data flows based on liveliness representing frequency of occurrence of the data flows. The sorting of the classified data lows determines that the data flow which is recently received has the higher liveliness and sorts the data flows based on the determination. The method and apparatus facilitates selecting data flows which are possible hostile attack attempts from a vast amount of data traffic and allowing selective and intensive monitoring of the selected data flows.

摘要翻译： 提供了一种基于诸如带宽和活力之类的预定优先级对数据业务排序的方法和装置。 该方法包括：接收数据流; 通过定义多个带宽范围，根据带宽分配数据流，并根据每个数据流的带宽所属的带宽范围对排序的数据流进行分类; 并根据表示数据流出现频率的生物活动对分类数据流进行排序。 分类数据低的排序确定最近接收的数据流具有更高的活力并且基于确定对数据流进行排序。 所述方法和装置有助于从大量的数据业务中选择可能的敌对攻击尝试的数据流，并允许选择性和密集地监视所选数据流。

公开(公告)号：US20070206498A1

公开(公告)日：2007-09-06

申请号：US11599909

申请日：2006-11-15

申请人： Beom Chang ,  Jung Na ,  Geon Kim ,  Dong Kim ,  Jin Kim ,  Hyun Kim ,  Hyo Bang ,  Soo Lee ,  Seon Sohn ,  Jong Jang ,  Sung Sohn

发明人： Beom Chang ,  Jung Na ,  Geon Kim ,  Dong Kim ,  Jin Kim ,  Hyun Kim ,  Hyo Bang ,  Soo Lee ,  Seon Sohn ,  Jong Jang ,  Sung Sohn

IPC分类号： H04L12/26

CPC分类号： H04L43/045 ,  H04L43/0817 ,  H04L43/16

摘要： A network status display device using a traffic flow-radar is provided. The network status display device includes: a traffic feature extractor calculating flow occupancy rates for total flows, micro-flows and macro-flows with respect to each of a plurality of traffic features with reference to traffic information for each traffic feature such as a network address, a port, a transmitting/receiving host address or a protocol collected by an external traffic information collector, and storing the calculation result; a traffic status display unit displaying the flow occupancy rates for each traffic feature calculated and stored in the traffic feature extractor on a radar with dots for each traffic feature; and a traffic anomaly determination unit determining whether a network status is abnormal with reference to the radar for each traffic feature, detecting and reporting the type of the abnormal network status and harmful or abnormal traffic that generates the abnormal network status, when the abnormal status occurs.

摘要翻译： 提供了使用交通流量雷达的网络状态显示装置。 网络状态显示装置包括：业务特征提取器，参考每个业务特征（例如网络地址）的业务信息来计算关于多个业务特征中的每一个的总流量，微流量和宏流量的流量占用率 ，端口，发送/接收主机地址或由外部交通信息收集器收集的协议，并存储计算结果; 交通状态显示单元，其显示针对每个交通特征点的雷达上计算并存储在交通特征提取器中的每个交通特征的流量占用率; 以及交通异常判定单元，针对每个流量特征，参照雷达确定网络状态是否异常，检测和报告异常网络状态的类型以及产生异常网络状态的有害或异常流量，当发生异常状态时 。