利索-全球专利检索

  1. 登录
  2. 注册

搜索结果

62 条记录 (耗时 0.051 秒)

    METHOD AND APPARATUS FOR MALWARE DETECTION
    1.
    发明申请
    METHOD AND APPARATUS FOR MALWARE DETECTION 审中-公开
    用于恶意软件检测的方法和装置

    公开(公告)号:US20090133125A1

    公开(公告)日:2009-05-21

    申请号:US12209249

    申请日:2008-09-12

    申请人: Yang Seo Choi Ik Kyun Kim Byoung Koo Kim Seung Yong Yoon Dae Won Kim Jin Tae Oh Jong Soo Jang

    发明人: Yang Seo Choi Ik Kyun Kim Byoung Koo Kim Seung Yong Yoon Dae Won Kim Jin Tae Oh Jong Soo Jang

    IPC分类号: G06F21/00

    CPC分类号: G06F21/562 G06F21/56

    摘要: The present invention relates to an apparatus and method for detecting malware. The malware detection apparatus and method of the present invention determines whether a file is malware or not by analyzing the header of an executable file. Since the malware detection apparatus and method can quickly detect presence of malware, it can shorten detection time considerably. The malware detection apparatus and method can also detect even unknown malware as well as known malware to thereby estimate and determine presence of malware. Therefore, it is possible to cope with malware in advance, protect a system with a program, and increase security level remarkably.

    摘要翻译: 本发明涉及一种用于检测恶意软件的装置和方法。 本发明的恶意软件检测装置和方法通过分析可执行文件的标题来确定文件是否是恶意软件。 由于恶意软件检测装置和方法可以快速检测恶意软件的存在,因此可以大大缩短检测时间。 恶意软件检测装置和方法还可以检测甚至未知的恶意软件以及已知的恶意软件,从而估计和确定恶意软件的存在。 因此,可以提前应对恶意软件,用程序保护系统,显着提高安全等级。

    METHOD OF EXTRACTING WINDOWS EXECUTABLE FILE USING HARDWARE BASED ON SESSION MATCHING AND PATTERN MATCHING AND APPRATUS USING THE SAME
    2.
    发明申请
    METHOD OF EXTRACTING WINDOWS EXECUTABLE FILE USING HARDWARE BASED ON SESSION MATCHING AND PATTERN MATCHING AND APPRATUS USING THE SAME 有权
    使用基于会话匹配和图案匹配的硬件提取WINDOWS可执行文件的方法和使用该方法的方法

    公开(公告)号:US20100146621A1

    公开(公告)日:2010-06-10

    申请号:US12503288

    申请日:2009-08-17

    申请人: Byoung Koo Kim Seung Yong Yoon Ik Kyun Kim Jin Tae Oh Jong Soo Jang Hyun Sook Cho

    发明人: Byoung Koo Kim Seung Yong Yoon Ik Kyun Kim Jin Tae Oh Jong Soo Jang Hyun Sook Cho

    IPC分类号: G06F17/30 G06F12/14 G06F11/00 G06F12/16 G08B23/00

    CPC分类号: H04L63/145 G06F21/564

    摘要: A method and apparatus for extracting a windows executable file that can search for a pattern related to windows executable files among a large quantity of network packets using a hardware-based session tracking and pattern matching technology and that can extract all packets included in the corresponding session are provided. The method of extracting a windows executable file includes: collecting incoming packets having a payload according to a session of a reference packet having an MZ pattern; performing a portable executable (PE) pattern matching for the collected incoming packets; and forming a PE file based on at least one incoming packet satisfying the PE pattern matching.

    摘要翻译: 一种用于提取Windows可执行文件的方法和装置,其可以使用基于硬件的会话跟踪和模式匹配技术在大量网络分组中搜索与Windows可执行文件相关的模式,并且可以提取包括在相应会话中的所有分组 被提供。 提取Windows可执行文件的方法包括:根据具有MZ模式的参考分组的会话收集具有有效载荷的传入分组; 对所收集的传入分组执行匹配的便携式可执行(PE)模式; 以及基于满足PE模式匹配的至少一个输入分组形成PE文件。

    Method of extracting windows executable file using hardware based on session matching and pattern matching and apparatus using the same
    3.
    发明授权
    Method of extracting windows executable file using hardware based on session matching and pattern matching and apparatus using the same 有权
    基于会话匹配和模式匹配的硬件提取Windows可执行文件的方法及使用该可执行文件的方法

    公开(公告)号:US08230503B2

    公开(公告)日:2012-07-24

    申请号:US12503288

    申请日:2009-08-17

    申请人: Byoung Koo Kim Seung Yong Yoon Ik Kyun Kim Jin Tae Oh Jong Soo Jang Hyun Sook Cho

    发明人: Byoung Koo Kim Seung Yong Yoon Ik Kyun Kim Jin Tae Oh Jong Soo Jang Hyun Sook Cho

    IPC分类号: H04L29/06

    CPC分类号: H04L63/145 G06F21/564

    摘要: A method and apparatus for extracting a windows executable file that can search for a pattern related to windows executable files among a large quantity of network packets using a hardware-based session tracking and pattern matching technology and that can extract all packets included in the corresponding session are provided. The method of extracting a windows executable file includes: collecting incoming packets having a payload according to a session of a reference packet having an MZ pattern; performing a portable executable (PE) pattern matching for the collected incoming packets; and forming a PE file based on at least one incoming packet satisfying the PE pattern matching.

    摘要翻译: 一种用于提取Windows可执行文件的方法和装置,其可以使用基于硬件的会话跟踪和模式匹配技术在大量网络分组中搜索与Windows可执行文件相关的模式,并且可以提取包括在相应会话中的所有分组 被提供。 提取Windows可执行文件的方法包括:根据具有MZ模式的参考分组的会话收集具有有效载荷的传入分组; 对所收集的传入分组执行匹配的便携式可执行(PE)模式; 以及基于满足PE模式匹配的至少一个输入分组形成PE文件。

    Apparatus and method for detecting network attack
    4.
    发明授权
    Apparatus and method for detecting network attack 有权
    网络攻击检测装置及方法

    公开(公告)号:US08095973B2

    公开(公告)日:2012-01-10

    申请号:US11926132

    申请日:2007-10-29

    申请人: Ik Kyun Kim Yang Seo Choi Dae Won Kim Jin Tae Oh Jong Soo Jang

    发明人: Ik Kyun Kim Yang Seo Choi Dae Won Kim Jin Tae Oh Jong Soo Jang

    IPC分类号: G06F9/00 G06F15/16 G06F17/00 G06F11/00 G06F12/14 G06F12/16 G08B23/00

    CPC分类号: H04L63/1408

    摘要: There are provided a network attack detection apparatus and method capable of determining even unknown network attack, the apparatus connected between two networks or connected by port mirroring of an Ethernet switch to real-time monitor all packets flowing through the networks. The apparatus decodes a payload portion of an inputted network packet into a machine code instruction, determines whether an executable code is included in the decoded machine code by analyzing relationship between instructions, and determines whether the packet is harmful based on statistics with respect to a possibility that an executable code exists in a service and a certain transaction of the service when the executable code is included.

    摘要翻译: 提供了能够确定甚至未知网络攻击的网络攻击检测装置和方法,连接在两个网络之间的装置或通过以太网交换机的端口镜像连接的实时监视通过网络流动的所有分组的网络攻击检测装置和方法。 该装置将输入的网络分组的有效载荷部分解码为机器码指令,通过分析指令之间的关系来确定解码的机器码中是否包括可执行代码,并且基于关于可能性的统计来确定分组是否有害 当包括可执行代码时,可执行代码存在于服务和服务的某个事务中。

    APPARATUS AND METHOD FOR DETECTING NETWORK ATTACK
    5.
    发明申请
    APPARATUS AND METHOD FOR DETECTING NETWORK ATTACK 有权
    用于检测网络攻击的装置和方法

    公开(公告)号:US20080134334A1

    公开(公告)日:2008-06-05

    申请号:US11926132

    申请日:2007-10-29

    申请人: Ik Kyun Kim Yang Seo Choi Dae Won Kim Jin Tae Oh Jong Soo Jang

    发明人: Ik Kyun Kim Yang Seo Choi Dae Won Kim Jin Tae Oh Jong Soo Jang

    IPC分类号: G06F11/00

    CPC分类号: H04L63/1408

    摘要: There are provided a network attack detection apparatus and method capable of determining even unknown network attack, the apparatus connected between two networks or connected by port mirroring of an Ethernet switch to real-time monitor all packets flowing through the networks. The apparatus decodes a payload portion of an inputted network packet into a machine code instruction, determines whether an executable code is included in the decoded machine code by analyzing relationship between instructions, and determines whether the packet is harmful based on statistics with respect to a possibility that an executable code exists in a service and a certain transaction of the service when the executable code is included.

    摘要翻译: 提供了能够确定甚至未知网络攻击的网络攻击检测装置和方法,连接在两个网络之间的装置或通过以太网交换机的端口镜像连接的实时监视通过网络流动的所有分组的网络攻击检测装置和方法。 该装置将输入的网络分组的有效载荷部分解码为机器码指令,通过分析指令之间的关系来确定解码的机器码中是否包括可执行代码,并且基于关于可能性的统计来确定分组是否有害 当包括可执行代码时,可执行代码存在于服务和服务的某个事务中。

    Method and apparatus for detecting executable code
    6.
    发明授权
    Method and apparatus for detecting executable code 失效
    用于检测可执行代码的方法和装置

    公开(公告)号:US08166545B2

    公开(公告)日:2012-04-24

    申请号:US12044393

    申请日:2008-03-07

    申请人: Dae Won Kim Yang Seo Choi Ik Kyun Kim Jin Tae Oh Jong Soo Jang

    发明人: Dae Won Kim Yang Seo Choi Ik Kyun Kim Jin Tae Oh Jong Soo Jang

    IPC分类号: G06F11/00

    CPC分类号: H04L43/18 H04L63/1408 H04L63/145

    摘要: There are provided an apparatus and method for detecting an executable code, capable of verifying reliability of an extracted signature by determining whether there is present an executable code in network data by using instruction pattern information related calling mechanism of function for distinguishing the executable code from a non-executable code, the method including: forming instructions by reverse assembling network data suspicious as an attack; comparing the respective formed instructions with instruction patterns according to calling mechanism of function; and determining whether there is present an executable code in the network data according to a result of the comparing.

    摘要翻译: 提供了一种用于检测可执行代码的装置和方法,其能够通过使用指令模式信息相关的调用机制来确定是否存在网络数据中的可执行代码来验证提取的签名的可靠性,以便将可执行代码与 不可执行代码,该方法包括:通过将可疑的网络数据反向组合为攻击来形成指令; 根据功能的调用机制将各形成的指令与指令模式进行比较; 以及根据所述比较的结果确定是否存在所述网络数据中的可执行代码。

    Method and apparatus for storing intrusion rule
    9.
    发明授权
    Method and apparatus for storing intrusion rule 失效
    存储入侵规则的方法和装置

    公开(公告)号:US07735137B2

    公开(公告)日:2010-06-08

    申请号:US11484257

    申请日:2006-07-10

    申请人: Kwang Ho Baik Byoung Koo Kim Jin Tae Oh Jong Soo Jang Sung Won Sohn

    发明人: Kwang Ho Baik Byoung Koo Kim Jin Tae Oh Jong Soo Jang Sung Won Sohn

    IPC分类号: G06F11/00 G06F12/14 G06F12/16 G08B23/00

    CPC分类号: H04L63/1416

    摘要: A method and apparatus for storing an intrusion rule are provided. The method stores a new intrusion rule in an intrusion detection system having already stored intrusion rules, and includes: generating combinations of divisions capable of dividing the new intrusion rule into a plurality of partial intrusion rules; calculating the frequency of hash value collisions between each of the generated division combinations and the already stored intrusion rules; dividing the new intrusion rule according to the division combination which has the lowest calculated frequency of hash value collisions; and storing the divided new intrusion rule in a corresponding position of the intrusion detection system. According to the method and apparatus, the size of the storage unit occupied by the intrusion rule can be reduced, and by performing pattern matching, the performance of the intrusion detection system can be enhanced.

    摘要翻译: 提供了一种用于存储入侵规则的方法和装置。 该方法在已经存储了入侵规则的入侵检测系统中存储新的入侵规则,并且包括:生成能够将新的入侵规则划分成多个部分入侵规则的分割组合; 计算每个生成的分割组合与已经存储的入侵规则之间的散列值冲突的频率; 根据哈希值碰撞计算频率最低的划分组合划分新的入侵规则; 并将分割的新入侵规则存储在入侵检测系统的相应位置。 根据该方法和装置,可以减少入侵规则占用的存储单元的大小,通过执行模式匹配,能够提高入侵检测系统的性能。

    Method of storing pattern matching policy and method of controlling alert message
    10.
    发明授权
    Method of storing pattern matching policy and method of controlling alert message 失效
    存储模式匹配策略的方法和控制报警信息的方法

    公开(公告)号:US07735128B2

    公开(公告)日:2010-06-08

    申请号:US11635245

    申请日:2006-12-07

    申请人: Byoung Koo Kim Kwang Ho Baik Jin Tae Oh Jong Soo Jang Sung Won Sohn

    发明人: Byoung Koo Kim Kwang Ho Baik Jin Tae Oh Jong Soo Jang Sung Won Sohn

    IPC分类号: G06F9/00 G06F7/04 H04L9/00

    CPC分类号: H04L12/5602

    摘要: A method of storing a pattern matching policy and a method of controlling an alert message are provided. The method includes (a) generating a content structure as a sub-structure of a header combination structure of a stored traffic pattern which is a policy to be newly applied to a pattern matching apparatus; (b) determining whether a content of the stored traffic pattern is identical to a content of an original traffic pattern stored in advance in the pattern matching apparatus; (c) allocating a content index of the content of the original traffic pattern to the content of the stored traffic pattern if the content of the stored traffic pattern is identical to the content of the original traffic pattern; and (d) determining whether a header combination structure of the original traffic pattern comprises only one content structure or more than one content structure and allocating a header index of the header combination structure of the stored traffic pattern to the header combination structure of the original traffic pattern if the header combination structure of the original traffic pattern is found to comprise only one content structure. Accordingly, it is possible to efficiently use hardware memories with limited storage capacities and effectively perform a pattern matching function.

    摘要翻译: 提供了一种存储模式匹配策略的方法和一种控制警报消息的方法。 该方法包括:(a)生成内容结构作为作为新应用于模式匹配装置的策略的存储的流量模式的头部组合结构的子结构; (b)确定存储的业务模式的内容是否与预先存储在模式匹配装置中的原始业务模式的内容相同; (c)如果存储的业务模式的内容与原始业务模式的内容相同,则将原始业务模式的内容的内容索引分配给所存储的业务模式的内容; 和(d)确定原始业务模式的报头组合结构是否仅包含一个内容结构或多于一个内容结构,并且将所存储的业务模式的报头组合结构的报头索引分配给原始业务的报头组合结构 如果发现原始流量模式的头组合结构仅包含一个内容结构,则模式。 因此,可以有效地使用具有有限存储容量的硬件存储器并且有效地执行模式匹配功能。