公开(公告)号：US09374382B2

公开(公告)日：2016-06-21

申请号：US14518623

申请日：2014-10-20

Applicant: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE

Inventor： Min-Ho Han ,  Jung-Tae Kim ,  Ik-Kyun Kim ,  Hyun-Sook Cho

IPC: G06F21/55 ,  H04L29/06 ,  H04W12/12

CPC classification number: H04L63/1416 ,  H04L63/1466 ,  H04L63/164

Abstract: An apparatus and a method for an attack source traceback capable of tracing back an attacker, that is, an attack source present behind a command and control (C&C) server in a cyber target attack having non-connectivity over a transmission control protocol (TCP) connection are disclosed. The apparatus for the attack source traceback includes: a server information extracting unit detecting an attack for a system, which is generated via a server to thereby extract information on the server; a traceback agent installing unit installing a traceback agent in the server based on the information on the server; and a traceback unit finding an attack source for the system by analyzing network information of the server obtained by the traceback agent.

Abstract translation: 一种用于跟踪攻击者的攻击源追溯的装置和方法，即在具有通过传输控制协议（TCP）上的非连接性的网络目标攻击中的命令和控制（C＆C）服务器后面的攻击源， 连接被公开。 用于攻击源追溯的装置包括：服务器信息提取单元，其检测经由服务器生成的系统的攻击，从而在服务器上提取信息; 追溯代理安装单元，基于服务器上的信息在服务器中安装回溯代理; 追溯单元通过分析由追溯代理获得的服务器的网络信息来查找系统的攻击源。

公开(公告)号：US11783034B2

公开(公告)日：2023-10-10

申请号：US17100541

申请日：2020-11-20

Applicant: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE

Inventor： Jung-Tae Kim ,  Ji-Hyeon Song ,  Ik-Kyun Kim ,  Young-Su Kim ,  Jong-Hyun Kim ,  Jong-Geun Park ,  Sang-Min Lee ,  Jong-Hoon Lee

IPC: G06F21/56 ,  G06N5/04 ,  G06N20/00

CPC classification number: G06F21/563 ,  G06N5/04 ,  G06N20/00 ,  G06F2221/033

Abstract: Disclosed herein are an apparatus and method for detecting a malicious script. The apparatus includes one or more processors and executable memory for storing at least one program executed by the one or more processors. The at least one program is configured to extract token-type features, each of which corresponds to a lexical unit, and tree-node-type features of an abstract syntax tree from an input script, to train two learning models to respectively learn two pieces of learning data that are generated in consideration of features extracted respectively from the token-type features and the node-type features as having the highest frequency, and to detect whether the script is a malicious script based on the result of ensemble-based malicious script detection performed for the script, which is acquired using an ensemble detection model generated from the two learning models.

公开(公告)号：US10805319B2

公开(公告)日：2020-10-13

申请号：US15807425

申请日：2017-11-08

Applicant: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE

Inventor： Jung-Tae Kim ,  Ik-Kyun Kim ,  Koo-Hong Kang

IPC: H04L29/06 ,  H04L12/721 ,  H04L12/733 ,  H04L12/751

Abstract: Disclosed herein are a stepping-stone detection apparatus and method. The stepping-stone detection apparatus includes a target connection information reception unit for receiving information about a target connection from an intrusion detection system (IDS), a fingerprint generation unit for generating a target connection fingerprint based on the information about the target connection, and generating one or more candidate connection fingerprints using information about one or more candidate connections corresponding to one or more flow information collectors, and a stepping-stone detection unit for detecting a stepping stone by comparing the target connection fingerprint, in which a maximum allowable delay time is reflected, with the candidate connection fingerprints.

公开(公告)号：US11790085B2

公开(公告)日：2023-10-17

申请号：US17461337

申请日：2021-08-30

Applicant: Electronics and Telecommunications Research Institute

Inventor： Jung-Tae Kim ,  Ji-Hyeon Song ,  Jong-Hyun Kim ,  Sang-Min Lee ,  Ik-Kyun Kim ,  Dae-Sung Moon

IPC: G06F21/56 ,  G06N20/00

CPC classification number: G06F21/564 ,  G06N20/00

Abstract: Disclosed herein are an apparatus for detecting unknown malware using a variable-length operation code (opcode) and a method using the apparatus. The method includes collecting opcode information from a detection target, generating a multi-pixel image having a variable length by performing feature engineering on the opcode information; and detecting unknown malware by inputting the multi-pixel image to a deep-learning model based on AI.

公开(公告)号：US10693908B2

公开(公告)日：2020-06-23

申请号：US15803062

申请日：2017-11-03

Applicant: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE

Inventor： Jung-Tae Kim ,  Ik-Kyun Kim

IPC: H04L29/06 ,  H04L12/26

Abstract: Disclosed herein are an apparatus and method for detecting a Distributed Reflection Denial of Service (DRDoS) attack. The DRDoS attack detection apparatus includes a network flow data reception unit for receiving network flow data from network equipment, a session type determination unit for determining a session type of the received network flow data, a host type determination unit for determining a type of host corresponding to the network flow data based on the session type, an attack method determination unit for determining an attack method corresponding to the network flow data, a protocol identification unit for identifying a protocol of the network flow data, and an attack detection unit for detecting a DRDoS attack based on the session type, the host type, the attack method, and the protocol.