公开(公告)号：US08965823B2

公开(公告)日：2015-02-24

申请号：US13475880

申请日：2012-05-18

Applicant: Seon Gyoung Sohn ,  Chi Yoon Jeong ,  Dong Ho Kang ,  Jung Chan Na ,  Ik Kyun Kim ,  Hyun Sook Cho

Inventor： Seon Gyoung Sohn ,  Chi Yoon Jeong ,  Dong Ho Kang ,  Jung Chan Na ,  Ik Kyun Kim ,  Hyun Sook Cho

IPC: G06F17/00 ,  G06N5/02 ,  G08B31/00

CPC classification number: G08B31/00

Abstract: The present invention relates to an insider threat detection device and method which collects and analyzes a variety of information generated by insiders working for an organization, such as behaviors, events, and states of the insider, and detects an abnormal insider who may become a potential threat. According to the present invention, the insider threat detection method and apparatus analyzes information related to insiders using the correlation analysis method, and previously detects an abnormal sign of an insider who may become a potential threat to an organization, which makes it possible to protect the organization from attacks on systems inside the organization or seizure of important information inside the organization.

Abstract translation: 本发明涉及一种内部威胁检测装置和方法，其收集和分析由内部人员为内部人员行为，事件和状态等内部人员所产生的各种信息，并检测可能成为潜在的异常内部人员 威胁。 根据本发明，内部威胁检测方法和装置使用相关分析方法分析与内部人相关的信息，并且先前检测到可能成为对组织的潜在威胁的内部人员的异常标志，这使得可以保护 组织对组织内的系统的攻击或组织内重要信息的检取。

公开(公告)号：US20130091085A1

公开(公告)日：2013-04-11

申请号：US13475880

申请日：2012-05-18

Applicant: Seon Gyoung SOHN ,  Chi Yoon Jeong ,  Dong Ho Kang ,  Jung Chan Na ,  Ik Kyun Kim ,  Hyun Sook Cho

Inventor： Seon Gyoung SOHN ,  Chi Yoon Jeong ,  Dong Ho Kang ,  Jung Chan Na ,  Ik Kyun Kim ,  Hyun Sook Cho

IPC: G06N5/02

CPC classification number: G08B31/00

Abstract: The present invention relates to an insider threat detection device and method which collects and analyzes a variety of information generated by insiders working for an organization, such as behaviors, events, and states of the insider, and detects an abnormal insider who may become a potential threat. According to the present invention, the insider threat detection method and apparatus analyzes information related to insiders using the correlation analysis method, and previously detects an abnormal sign of an insider who may become a potential threat to an organization, which makes it possible to protect the organization from attacks on systems inside the organization or seizure of important information inside the organization.

Abstract translation: 本发明涉及一种内部威胁检测装置和方法，其收集和分析由内部人员为内部人员行为，事件和状态等内部人员所产生的各种信息，并检测可能成为潜在的异常内部人员 威胁。 根据本发明，内部威胁检测方法和装置使用相关分析方法分析与内部人相关的信息，并且先前检测到可能成为对组织的潜在威胁的内部人员的异常标志，这使得可以保护 组织对组织内的系统的攻击或组织内重要信息的检取。

公开(公告)号：US08307441B2

公开(公告)日：2012-11-06

申请号：US12669633

申请日：2007-11-21

Applicant: Jong Hyun Kim ,  Geon Lyang Kim ,  Seon Gyoung Sohn ,  Beom Hwan Chang ,  Chi Yoon Jeong ,  Jong Ho Ryu ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

Inventor： Jong Hyun Kim ,  Geon Lyang Kim ,  Seon Gyoung Sohn ,  Beom Hwan Chang ,  Chi Yoon Jeong ,  Jong Ho Ryu ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC: G06F11/34

CPC classification number: H04L45/00 ,  H04L45/12 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1441 ,  H04L2463/146

Abstract: There are provided a system and method for tracing back an attacker by using centroid decomposition technique, the system including: a log data input module collecting log data of an intrusion alarm from an intrusion detection system; a centroid node detection module generating a shortest path tree by applying a shortest path algorithm to network router connection information collected by a network administration server, detecting a centroid node by applying centroid decomposition technique removing a leaf-node to the shortest path tree, and generating a centroid tree whose node of each level is the detected centroid node; and a traceback processing module requesting log data of a router matched with the node of each level of the centroid tree, and tracing back a router identical to the log data of the collected intrusion alarm as a router connected to a source of an attacker by comparing the log data of the router with the log data of the collected intrusion alarm. According to the system and method, an attacker causing a security intrusion event may be quickly detected, a load on the system is reduced, and a passage host exposed to a danger or having weaknesses may be easily recognized, thereby easily coping with an attack.

Abstract translation: 提供了一种通过使用质心分解技术跟踪攻击者的系统和方法，该系统包括：日志数据输入模块，从入侵检测系统收集入侵警报的日志数据; 质心节点检测模块，通过对网络管理服务器收集的网络路由器连接信息应用最短路径算法，生成最短路径树，通过应用质心分解技术检测质心节点，去除叶节点到最短路径树，并生成 每个级别的节点是检测到的质心节点的质心树; 以及回溯处理模块，请求与质心树的每个级别的节点匹配的路由器的日志数据，并且通过比较来跟踪与收集的入侵警报器的日志数据相同的路由器作为连接到攻击者的源的路由器 路由器的日志数据与收集的入侵报警的日志数据。 根据系统和方法，可以快速地检测到导致安全入侵事件的攻击者，系统上的负载减少，并且易于识别暴露于危险或具有弱点的通道主机，从而容易地应对攻击。

公开(公告)号：US08014310B2

公开(公告)日：2011-09-06

申请号：US12516494

申请日：2007-08-23

Applicant: Beom-Hwan Chang ,  Chi-Yoon Jeong ,  Seon-Gyoung Sohn ,  Soo-Hyung Lee ,  Hyo-Chan Bang ,  Geon-Lyang Kim ,  Hyun-Joo Kim ,  Won-Joo Park ,  Jong-Ho Ryu ,  Jong-Hyun Kim ,  Jong-Soo Jang ,  Sung-Won Sohn ,  Jung-Chan Na

Inventor： Beom-Hwan Chang ,  Chi-Yoon Jeong ,  Seon-Gyoung Sohn ,  Soo-Hyung Lee ,  Hyo-Chan Bang ,  Geon-Lyang Kim ,  Hyun-Joo Kim ,  Won-Joo Park ,  Jong-Ho Ryu ,  Jong-Hyun Kim ,  Jong-Soo Jang ,  Sung-Won Sohn ,  Jung-Chan Na

IPC: H04L12/26

CPC classification number: H04L63/1441 ,  H04L63/20

Abstract: An apparatus and method for visualizing a network condition related to a network security are provided. The apparatus includes a traffic feature extracting unit, a network condition displaying unit, and a traffic abnormal condition determining unit. The traffic feature extracting unit extracts information including source address, source port, destination address, and destination port from network traffics, selects two of the extracted information, and calculates unique dispersion degrees of two unselected information. The network condition displaying unit displays a two-dimensional cube expressed using the calculated unique dispersion degrees for the classified traffics. The traffic abnormal condition determining unit determines whether the traffics are in an abnormal condition or not based on the two-dimensional security cube.

Abstract translation: 提供了一种用于可视化与网络安全相关的网络条件的装置和方法。 该装置包括交通特征提取单元，网络状态显示单元和交通异常状况判定单元。 流量特征提取单元从网络流量提取包括源地址，源端口，目的地址和目的地端口的信息，选择两个提取的信息，并计算两个未选择信息的唯一色散度。 网络条件显示单元显示使用所计算的分类业务的唯一色散度表示的二维立方体。 交通异常判定单元基于二维安全立方体来判定是否处于异常状态。

公开(公告)号：US20110016525A1

公开(公告)日：2011-01-20

申请号：US12630672

申请日：2009-12-03

Applicant: Chi Yoon Jeong ,  Beom-Hwan Chang ,  Seon-Gyoung Sohn ,  Johg Ho Ryu ,  Geon Lyang Kim ,  Jonghyun Kim ,  Jung-Chan Na ,  Hyun sook Cho

Inventor： Chi Yoon Jeong ,  Beom-Hwan Chang ,  Seon-Gyoung Sohn ,  Johg Ho Ryu ,  Geon Lyang Kim ,  Jonghyun Kim ,  Jung-Chan Na ,  Hyun sook Cho

IPC: G06F21/00 ,  G06K9/68

CPC classification number: H04L63/1425

Abstract: An apparatus for detecting a network attack includes a traffic image generator for generating a traffic image using traffic information and additional IP information extracted from the traffic information; a network attack detector for comparing similarities between the traffic image and a previously generated traffic image based on a predetermined similarity threshold to detect the presence of the network attack; and a network attack analyzer for analyzing the traffic image at a time when the network attack is detected to detect network attack information and pattern information of the network attack. A representation unit for visualizing the network attack information and the pattern information of the network attack.

Abstract translation: 用于检测网络攻击的装置包括业务图像生成器，用于使用从业务信息提取的业务信息和附加IP信息来生成业务图像; 网络攻击检测器，用于基于预定的相似性阈值来比较业务图像和先前生成的业务图像之间的相似性，以检测网络攻击的存在; 以及网络攻击分析器，用于在检测到网络攻击时分析流量图像，以检测网络攻击信息和网络攻击的模式信息。 用于可视化网络攻击信息和网络攻击的模式信息的表示单元。

公开(公告)号：US07849187B2

公开(公告)日：2010-12-07

申请号：US11527850

申请日：2006-09-26

Applicant: Beom Hwan Chang ,  Jung Chan Na ,  Geon Lyang Kim ,  Dong Young Kim ,  Jin Oh Kim ,  Hyun Joo Kim ,  Hyo Chan Bang ,  Soo Hyung Lee ,  Seon Gyoung Shon ,  Jong Soo Jang ,  Sung Won Sohn

Inventor： Beom Hwan Chang ,  Jung Chan Na ,  Geon Lyang Kim ,  Dong Young Kim ,  Jin Oh Kim ,  Hyun Joo Kim ,  Hyo Chan Bang ,  Soo Hyung Lee ,  Seon Gyoung Shon ,  Jong Soo Jang ,  Sung Won Sohn

IPC: G06F15/16

CPC classification number: H04L43/028 ,  H04L43/062 ,  H04L43/16 ,  H04L63/1408

Abstract: A network status display device using a traffic pattern map is provided. The device includes: a traffic feature extractor extracting a port number of a port having the maximum occupancy of micro-flows and macro-flows for each network address section and host address section with reference to traffic information collected by an external traffic information collector, calculating and storing an occupancy rate of the port; a traffic status display unit making a network traffic pattern map expressed by destination-source network addresses and a host traffic pattern map expressed by destination-source host addresses and displaying the port information stored in the traffic feature extractor on the network traffic pattern map and the host traffic pattern map; and a traffic anomaly determination unit determining whether a network status is abnormal with reference to the network traffic pattern map and the host traffic pattern map and detecting and reporting a harmful or abnormal traffic which causes the abnormal network status. The device can determine whether the anomaly deteriorating the network performance exists and can easily and quickly detect the harmful or abnormal traffic which causes the anomaly by the use of the port information of the port having the maximum occupancy of the micro-flows and the macro-flows for each network address section and each host address section.

Abstract translation: 提供了使用业务模式图的网络状态显示设备。 该设备包括：流量特征提取器，参考由外部交通信息收集器收集的交通信息，提取每个网络地址部分和主机地址部分具有最大占用微流量和宏流量的端口的端口号，计算 并存储所述端口的占用率; 形成由目的地源网络地址表示的网络流量模式图的流量状态显示单元和由目的地 - 源主机地址表示的主机流量模式图，并且在网络流量模式图上显示存储在流量特征提取器中的端口信息，并且 主机流量模式图; 以及流量异常判定单元，基于网络流量模式图和主机流量模式图来判断网络状态是否异常，并检测并报告导致异常网络状态的有害或异常流量。 该设备可以确定异常是否存在网络性能恶化，并可以通过使用具有微流量最大占用端口的端口信息和宏观流量来轻松快速地检测导致异常的有害或异常流量， 每个网络地址部分和每个主机地址部分的流程。

公开(公告)号：US07787394B2

公开(公告)日：2010-08-31

申请号：US11599909

申请日：2006-11-15

Applicant: Beom Hwan Chang ,  Jung Chan Na ,  Geon Lyang Kim ,  Dong Young Kim ,  Jin Oh Kim ,  Hyun Joo Kim ,  Hyo Chan Bang ,  Soo Hyung Lee ,  Seon Gyoung Sohn ,  Jong Soo Jang ,  Sung Won Sohn

Inventor： Beom Hwan Chang ,  Jung Chan Na ,  Geon Lyang Kim ,  Dong Young Kim ,  Jin Oh Kim ,  Hyun Joo Kim ,  Hyo Chan Bang ,  Soo Hyung Lee ,  Seon Gyoung Sohn ,  Jong Soo Jang ,  Sung Won Sohn

IPC: H04L12/66 ,  G01R31/08 ,  H04W36/00

CPC classification number: H04L43/045 ,  H04L43/0817 ,  H04L43/16

Abstract: A network status display device using a traffic flow-radar is provided. The network status display device includes: a traffic feature extractor calculating flow occupancy rates for total flows, micro-flows and macro-flows with respect to each of a plurality of traffic features with reference to traffic information for each traffic feature such as a network address, a port, a transmitting/receiving host address or a protocol collected by an external traffic information collector, and storing the calculation result; a traffic status display unit displaying the flow occupancy rates for each traffic feature calculated and stored in the traffic feature extractor on a radar with dots for each traffic feature; and a traffic anomaly determination unit determining whether a network status is abnormal with reference to the radar for each traffic feature, detecting and reporting the type of the abnormal network status and harmful or abnormal traffic that generates the abnormal network status, when the abnormal status occurs.

Abstract translation: 提供了使用交通流量雷达的网络状态显示装置。 网络状态显示装置包括：业务特征提取器，参考每个业务特征（例如网络地址）的业务信息来计算关于多个业务特征中的每一个的总流量，微流量和宏流量的流量占用率 ，端口，发送/接收主机地址或由外部交通信息收集器收集的协议，并存储计算结果; 交通状态显示单元，其显示针对每个交通特征点的雷达上计算并存储在交通特征提取器中的每个交通特征的流量占用率; 以及交通异常判定单元，针对每个流量特征，参照雷达确定网络状态是否异常，检测和报告异常网络状态的类型以及产生异常网络状态的有害或异常流量，当发生异常状态时 。

公开(公告)号：US20100212013A1

公开(公告)日：2010-08-19

申请号：US12669633

申请日：2007-11-21

Applicant: Jong Hyun Kim ,  Geon Lyang Kim ,  Seon Gyoung Sohn ,  Beom Hwan Chang ,  Chi Yoon Jeong ,  Jong Ho Ryu ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

Inventor： Jong Hyun Kim ,  Geon Lyang Kim ,  Seon Gyoung Sohn ,  Beom Hwan Chang ,  Chi Yoon Jeong ,  Jong Ho Ryu ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC: G06F11/34

CPC classification number: H04L45/00 ,  H04L45/12 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1441 ,  H04L2463/146

Abstract: There are provided a system and method for tracing back an attacker by using centroid decomposition technique, the system including: a log data input module collecting log data of an intrusion alarm from an intrusion detection system; a centroid node detection module generating a shortest path tree by applying a shortest path algorithm to network router connection information collected by a network administration server, detecting a centroid node by applying centroid decomposition technique removing a leaf-node to the shortest path tree, and generating a centroid tree whose node of each level is the detected centroid node; and a traceback processing module requesting log data of a router matched with the node of each level of the centroid tree, and tracing back a router identical to the log data of the collected intrusion alarm as a router connected to a source of an attacker by comparing the log data of the router with the log data of the collected intrusion alarm. According to the system and method, an attacker causing a security intrusion event may be quickly detected, a load on the system is reduced, and a passage host exposed to a danger or having weaknesses may be easily recognized, thereby easily coping with an attack.

Abstract translation: 提供了一种通过使用质心分解技术跟踪攻击者的系统和方法，该系统包括：日志数据输入模块，从入侵检测系统收集入侵警报的日志数据; 质心节点检测模块，通过对网络管理服务器收集的网络路由器连接信息应用最短路径算法，生成最短路径树，通过应用质心分解技术检测质心节点，去除叶节点到最短路径树，并生成 每个级别的节点是检测到的质心节点的质心树; 以及回溯处理模块，请求与质心树的每个级别的节点匹配的路由器的日志数据，并且通过比较来跟踪与收集的入侵警报器的日志数据相同的路由器作为连接到攻击者的源的路由器 路由器的日志数据与收集的入侵报警的日志数据。 根据系统和方法，可以快速地检测到导致安全入侵事件的攻击者，系统上的负载减少，并且易于识别暴露于危险或具有弱点的通道主机，从而容易地应对攻击。

公开(公告)号：US20100067391A1

公开(公告)日：2010-03-18

申请号：US12516494

申请日：2007-08-23

Applicant: Beom-Hwan Chang ,  Chi-Yoon Jeong ,  Seon-Gyoung Sohn ,  Soo-Hyung Lee ,  Hyo-Chan Bang ,  Geon-Lyang Kim ,  Hyun-Joo Kim ,  Won-Joo Park ,  Jong-Ho Ryu ,  Jong-Hyun Kim ,  Jong-Soo Jang ,  Sung-Won Sohn ,  Jung-Chan Na

Inventor： Beom-Hwan Chang ,  Chi-Yoon Jeong ,  Seon-Gyoung Sohn ,  Soo-Hyung Lee ,  Hyo-Chan Bang ,  Geon-Lyang Kim ,  Hyun-Joo Kim ,  Won-Joo Park ,  Jong-Ho Ryu ,  Jong-Hyun Kim ,  Jong-Soo Jang ,  Sung-Won Sohn ,  Jung-Chan Na

IPC: H04L12/26

CPC classification number: H04L63/1441 ,  H04L63/20

Abstract: An apparatus and method for visualizing a network condition related to a network security are provided. The apparatus includes a traffic feature extracting unit, a network condition displaying unit, and a traffic abnormal condition determining unit. The traffic feature extracting unit extracts information including source address, source port, destination address, and destination port from network traffics, selects two of the extracted information, and calculates unique dispersion degrees of two unselected information. The network condition displaying unit displays a two-dimensional cube expressed using the calculated unique dispersion degrees for the classified traffics. The traffic abnormal condition determining unit determines whether the traffics are in an abnormal condition or not based on the two-dimensional security cube.

Abstract translation: 提供了一种用于可视化与网络安全相关的网络状况的装置和方法。 该装置包括交通特征提取单元，网络状态显示单元和交通异常状况判定单元。 流量特征提取单元从网络流量提取包括源地址，源端口，目的地址和目的地端口的信息，选择两个提取的信息，并计算两个未选择信息的唯一色散度。 网络条件显示单元显示使用所计算的分类业务的唯一色散度表示的二维立方体。 交通异常判定单元基于二维安全立方体来判定是否处于异常状态。

公开(公告)号：US07539147B2

公开(公告)日：2009-05-26

申请号：US11077638

申请日：2005-03-11

Applicant: Beom Hwan Chang ,  Soo Hyung Lee ,  Jin Oh Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

Inventor： Beom Hwan Chang ,  Soo Hyung Lee ,  Jin Oh Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC: G01R31/08

CPC classification number: H04L41/22 ,  H04L41/06 ,  H04L43/0817

Abstract: Provided is an apparatus for detecting and visualizing anomalies in network traffic which includes a traffic information storing portion storing information on network traffic, a traffic state display portion presenting a status of the network traffic generated for a predetermined threshold time based on the information on network traffic on an orthogonal coordinates system in a form of a graph connecting at least one point data as a coordinate value, and a traffic anomalies determination portion determining an existence of anomalies in the network traffic based on a shape of the graph.

Abstract translation: 提供了一种用于检测和可视化网络流量异常的装置，其包括存储关于网络流量的信息的交通信息存储部分，基于关于网络流量的信息呈现针对预定阈值时间生成的网络流量的状态的交通状态显示部分 以连接至少一个点数据作为坐标值的图形的正交坐标系，以及基于图形的形状来确定网络业务中的异常的存在的业务异常确定部分。