公开(公告)号：US20120240231A1

公开(公告)日：2012-09-20

申请号：US13397780

申请日：2012-02-16

申请人： Seon-Gyoung Sohn ,  Beom Hwan Chang ,  Jung-Chan Na

发明人： Seon-Gyoung Sohn ,  Beom Hwan Chang ,  Jung-Chan Na

IPC分类号： G06F21/00

CPC分类号： G06F21/564

摘要： An apparatus for detecting a malicious code includes: a malicious code visualization device for generating a graph for a malicious file by using strings in the malicious file, a connection among the strings and entropies for the strings and establishing a malicious code database with the generated graph for the malicious file. The apparatus further includes a malicious code determination device for generating a graph for a specific executable file and comparing the graph for the executable file with graphs for malicious files stored in the malicious code database to detect a malicious code in the executable file.

摘要翻译： 一种用于检测恶意代码的装置包括：恶意代码可视化装置，用于通过使用恶意文件中的字符串来生成恶意文件的图形，字符串之间的连接和字符串的熵以及用生成的图形建立恶意代码数据库 为恶意文件。 该装置还包括恶意代码确定装置，用于生成特定可执行文件的图形，并将可执行文件的图与存储在恶意代码数据库中的恶意文件的图形进行比较，以检测可执行文件中的恶意代码。

公开(公告)号：US20100150008A1

公开(公告)日：2010-06-17

申请号：US12530193

申请日：2008-03-07

申请人： Seon Gyoung Sohn ,  Chi Yoon Jeong ,  Beom Hwan Chang ,  Soo Hyung Lee ,  Hyo Chan Bang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Won Joo Park ,  Jong Ho Ryu ,  Jong Hyun Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Seon Gyoung Sohn ,  Chi Yoon Jeong ,  Beom Hwan Chang ,  Soo Hyung Lee ,  Hyo Chan Bang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Won Joo Park ,  Jong Ho Ryu ,  Jong Hyun Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： H04L12/26

CPC分类号： H04L41/22 ,  H04L43/045 ,  H04L63/1408

摘要： There are provided a network state display apparatus and method capable of easily determining a present network security state in real time by analyzing an abnormality and harmful traffic deteriorating performance of a network in software by using a result of combining essential characteristics of traffic, a distinct dispersion, and an entropy and displaying the network state to be intuitionally recognized, the method including selecting and combining three of a source address, a source port, a destination address, and a destination port of collected traffic and calculating a distinct dispersion and an entropy of a residual one therefrom; displaying the calculated distinct dispersion and entropy on a security radar where the distinct dispersion and the entropy are assigned to an angle and a radius; determining whether a network state is abnormal, based on a result displayed on the security radar; and detecting reporting detailed information on abnormal traffic causing the abnormal network state.

摘要翻译： 提供了一种网络状态显示装置和方法，其能够通过使用组合业务的基本特征的结果分析软件中的网络的异常和有害的业务恶化的性能来实时地容易地确定当前的网络安全状态，不同的分散 以及熵并显示要直观识别的网络状态，所述方法包括选择和组合收集的业务的源地址，源端口，目的地地址和目的地端口中的三个，并计算不同的色散和熵 剩余的一个; 在安全雷达上显示计算出的不同色散和熵，其中明确的色散和熵分配给角度和半径; 基于安全雷达上显示的结果，确定网络状态是否异常; 检测异常网络状态异常报告的详细信息。

公开(公告)号：US20090094699A1

公开(公告)日：2009-04-09

申请号：US12275906

申请日：2008-11-21

申请人： Jin Oh KIM ,  Seon Gyoung Sohn ,  Hyochan Bang ,  Soo Hyung Lee ,  Dongyoung Kim ,  Beom Hwan Chang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Jin Oh KIM ,  Seon Gyoung Sohn ,  Hyochan Bang ,  Soo Hyung Lee ,  Dongyoung Kim ,  Beom Hwan Chang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F15/18 ,  G08B23/00

CPC分类号： H04L63/1416 ,  G06F21/552 ,  G06F21/85 ,  H04L63/1441

摘要： Provided is an apparatus for detecting a network attack situation. The apparatus includes an alarm receiver receiving a plurality of alarms raised in a network to which the alarm receiver is connected, converting the alarms into predetermined alarm data, and outputting the alarm data; an alarm processor analyzing an attack situation in the network based on attributes of the alarm data and a number of times that the alarm data is generated; a memory storing basic data needed to analyze the state of the network and providing the basic data to the alarm processor; and an interface transmitting the result of the analysis by the alarm processor to an external device, receiving a predetermined critical value from the external device, which is a basis for determining the occurrence of the attack situation, and outputting the critical value to the alarm processor such that the alarm processor can store the critical value in the memory. Equal numbers of hash engines and detection engines for processing the alarms in the network to the number of data groups classified as network attack situations are formed in a line. Therefore, a network attack situation can be detected in real time based on a great number of alarms indicating intrusion detection.

摘要翻译： 提供了一种用于检测网络攻击情况的装置。 该装置包括接收在连接有报警接收器的网络中升起的多个报警的报警接收机，将报警转换成预定报警数据，并输出报警数据; 报警处理器根据报警数据的属性和产生报警数据的次数分析网络中的攻击情况; 存储器，用于存储分析网络状态并将基本数据提供给报警处理器所需的基本数据; 以及将所述报警处理器的分析结果发送到外部设备的接口，从外部设备接收预定的临界值，所述临时值是用于确定所述攻击情况的发生的基础，并且将所述临界值输出到所述报警处理器 使得报警处理器可以将临界值存储在存储器中。 在网络中形成等同数量的散列引擎和检测引擎，用于将网络中的警报处理为分类为网络攻击情况的数据组的数量。 因此，可以基于大量表示入侵检测的告警来实时检测网络攻击情况。

公开(公告)号：US20110016208A1

公开(公告)日：2011-01-20

申请号：US12667130

申请日：2007-11-19

申请人： Chi Yoon Jeong ,  Beom Hwan Chang ,  Seon Gyoung Sohn ,  Geon Lyang Kim ,  Jong Hyun Kim ,  Jong Ho Ryu ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Chi Yoon Jeong ,  Beom Hwan Chang ,  Seon Gyoung Sohn ,  Geon Lyang Kim ,  Jong Hyun Kim ,  Jong Ho Ryu ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F15/173

CPC分类号： H04L63/1416 ,  G06Q10/06

摘要： There are provided an apparatus and method for sampling a security event based on contents of the security event, the apparatus including: a security event accumulation module collecting security events occurring in a network system and storing the security events for each type according to contents of the security event; a security event analysis module calculating distribution of the security events for each type by analyzing the stored security events; and a security event extraction module sampling the stored security events according to the calculated distribution of the security events for each type. The apparatus and method may improve speed of visualization of a security event and a security event analysis apparatus and may increase accuracy thereof.

摘要翻译： 提供了一种基于安全事件的内容对安全事件进行采样的装置和方法，该装置包括：安全事件累积模块，其收集网络系统中发生的安全事件，并根据所述安全事件的内容存储每种类型的安全事件 安全事件; 安全事件分析模块，通过分析存储的安全事件来计算每种类型的安全事件的分布; 并且安全事件提取模块根据计算出的每种类型的安全事件的分布来对存储的安全事件进行采样。 该装置和方法可以提高安全事件和安全事件分析装置的可视化速度并且可以提高其精度。

公开(公告)号：US07596810B2

公开(公告)日：2009-09-29

申请号：US11081682

申请日：2005-03-17

申请人： Jin Oh Kim ,  Seon Gyoung Sohn ,  Hyochan Bang ,  Soo Hyung Lee ,  Dongyoung Kim ,  Beom Hwan Chang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Jin Oh Kim ,  Seon Gyoung Sohn ,  Hyochan Bang ,  Soo Hyung Lee ,  Dongyoung Kim ,  Beom Hwan Chang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G08B23/00 ,  G06F15/173

CPC分类号： H04L63/1416 ,  G06F21/552 ,  G06F21/85 ,  H04L63/1441

摘要： Provided is an apparatus for detecting a network attack situation. The apparatus includes an alarm receiver receiving a plurality of alarms raised in a network to which the alarm receiver is connected, converting the alarms into predetermined alarm data, and outputting the alarm data; an alarm processor analyzing an attack situation in the network based on attributes of the alarm data and a number of times that the alarm data is generated; a memory storing basic data needed to analyze the state of the network and providing the basic data to the alarm processor; and an interface transmitting the result of the analysis by the alarm processor to an external device, receiving a predetermined critical value from the external device, which is a basis for determining the occurrence of the attack situation, and outputting the critical value to the alarm processor such that the alarm processor can store the critical value in the memory. Equal numbers of hash engines and detection engines for processing the alarms in the network to the number of data groups classified as network attack situations are formed in a line. Therefore, a network attack situation can be detected in real time based on a great number of alarms indicating intrusion detection.

摘要翻译： 提供了一种用于检测网络攻击情况的装置。 该装置包括接收在连接有报警接收器的网络中升起的多个报警的报警接收机，将报警转换成预定报警数据，并输出报警数据; 报警处理器根据报警数据的属性和产生报警数据的次数分析网络中的攻击情况; 存储器，用于存储分析网络状态并将基本数据提供给报警处理器所需的基本数据; 以及将所述报警处理器的分析结果发送到外部设备的接口，从外部设备接收预定的临界值，所述临时值是用于确定所述攻击情况的发生的基础，并且将所述临界值输出到所述报警处理器 使得报警处理器可以将临界值存储在存储器中。 在网络中形成等同数量的散列引擎和检测引擎，用于将网络中的警报处理为分类为网络攻击情况的数据组的数量。 因此，可以基于大量表示入侵检测的告警来实时检测网络攻击情况。

公开(公告)号：US20120090027A1

公开(公告)日：2012-04-12

申请号：US13271598

申请日：2011-10-12

申请人： Seon-Gyoung SOHN ,  Beom Hwan CHANG

发明人： Seon-Gyoung SOHN ,  Beom Hwan CHANG

IPC分类号： G06F21/20 ,  G06F11/30

CPC分类号： G06F11/079 ,  G06F21/55 ,  G06F21/552 ,  G06F21/554 ,  H04L63/1425 ,  H04L2463/146

摘要： An apparatus for detecting an abnormal host based on session monitoring includes: a host information collection unit for collecting information of processes being executed in hosts and information of sessions connected by the hosts; a network traffic monitoring unit for collecting network traffic information; an analysis unit for calculating an entropy of each host based on the collected session information to analyze correlation between hosts based on the calculated entropy and the network traffic information; and a detection unit for detecting an abnormal host and a process causing harmful traffic in the abnormal host based on the correlation and updating a black list based on the detected host and process.

摘要翻译： 一种用于基于会话监控来检测异常主机的装置，包括：主机信息收集单元，用于收集主机中正在执行的进程的信息和由主机连接的会话的信息; 网络流量监控单元，用于收集网络流量信息; 分析单元，用于基于所收集的会话信息来计算每个主机的熵，以基于所计算的熵和所述网络交通信息来分析主机之间的相关性; 以及检测单元，用于基于所述相关性检测异常主机和引起异常主机中的有害业务的过程，并且基于检测到的主机和处理更新黑名单。

公开(公告)号：US08140671B2

公开(公告)日：2012-03-20

申请号：US12667130

申请日：2007-11-19

申请人： Chi Yoon Jeong ,  Beom Hwan Chang ,  Seon Gyoung Sohn ,  Geon Lyang Kim ,  Jong Hyun Kim ,  Jong Ho Ryu ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Chi Yoon Jeong ,  Beom Hwan Chang ,  Seon Gyoung Sohn ,  Geon Lyang Kim ,  Jong Hyun Kim ,  Jong Ho Ryu ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F15/173

CPC分类号： H04L63/1416 ,  G06Q10/06

摘要： There are provided an apparatus and method for sampling a security event based on contents of the security event, the apparatus including: a security event accumulation module collecting security events occurring in a network system and storing the security events for each type according to contents of the security event; a security event analysis module calculating distribution of the security events for each type by analyzing the stored security events; and a security event extraction module sampling the stored security events according to the calculated distribution of the security events for each type. The apparatus and method may improve speed of visualization of a security event and a security event analysis apparatus and may increase accuracy thereof.

摘要翻译： 提供了一种基于安全事件的内容对安全事件进行采样的装置和方法，该装置包括：安全事件累积模块，其收集网络系统中发生的安全事件，并根据所述安全事件的内容存储每种类型的安全事件 安全事件; 安全事件分析模块，通过分析存储的安全事件来计算每种类型的安全事件的分布; 并且安全事件提取模块根据计算出的每种类型的安全事件的分布来对存储的安全事件进行采样。 该装置和方法可以提高安全事件和安全事件分析装置的可视化速度并且可以提高其精度。

公开(公告)号：US08019865B2

公开(公告)日：2011-09-13

申请号：US12517091

申请日：2007-10-24

申请人： Beom Hwan Chang ,  Chi Yoon Jeong ,  Seon Gyoung Sohn ,  Soo Hyung Lee ,  Hyo Chan Bang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Won Joo Park ,  Jong Ho Ryu ,  Jong Hyun Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

发明人： Beom Hwan Chang ,  Chi Yoon Jeong ,  Seon Gyoung Sohn ,  Soo Hyung Lee ,  Hyo Chan Bang ,  Geon Lyang Kim ,  Hyun Joo Kim ,  Won Joo Park ,  Jong Ho Ryu ,  Jong Hyun Kim ,  Jung Chan Na ,  Jong Soo Jang ,  Sung Won Sohn

IPC分类号： G06F15/173

CPC分类号： H04L41/28 ,  H04L41/0631 ,  H04L41/22 ,  H04L63/1425 ,  H04L63/20

摘要： There are provided a network security state visualization device and method, the device including: a security event collector collecting original security event information from network security apparatuses; a security event analyzer analyzing the original security event information collected by the security event collector and extracting characteristic data corresponding to a security event; and a three-dimensional visualization display unit visualizing a correlation between the characteristic data extracted by the security event analyzer as a three-dimensional screen to be displayed.

摘要翻译： 提供了网络安全状态可视化设备和方法，该设备包括：安全事件收集器，从网络安全设备收集原始安全事件信息; 分析安全事件收集器收集的原始安全事件信息并提取对应于安全事件的特征数据的安全事件分析器; 以及三维可视化显示单元，将由安全事件分析器提取的特征数据之间的相关性可视化为要显示的三维屏幕。

公开(公告)号：US20100162392A1

公开(公告)日：2010-06-24

申请号：US12482716

申请日：2009-06-11

申请人： Chi Yoon JEONG ,  Beom Hwan CHANG ,  Seon Gyoung SOHN ,  Jong Ho RYU ,  Geon Lyang KIM ,  Jong Hyun KIM ,  Jung-Chan NA ,  Hyun Sook CHO ,  Chae Kyu KIM

发明人： Chi Yoon JEONG ,  Beom Hwan CHANG ,  Seon Gyoung SOHN ,  Jong Ho RYU ,  Geon Lyang KIM ,  Jong Hyun KIM ,  Jung-Chan NA ,  Hyun Sook CHO ,  Chae Kyu KIM

IPC分类号： H04L9/00 ,  G06F11/30

CPC分类号： H04W12/12 ,  H04L63/1416

摘要： An apparatus for monitoring the security status of a wireless network is provided. The apparatus includes a radio frequency (RF) signal collection unit which collects at least one piece of RF signal information; a security event information collection unit which collects security event information including at least one of traffic information and alert information; a security event information mapping unit which maps the RF signal information and the security event information based on the correlation between the RF signal information and the security event information; and a security event information display unit which displays the result of the mapping performed by the security event information mapping unit. Therefore, it is possible to allow a network administrator to intuitively recognize the security status of a wireless network by collecting RF signal information and security event information from the wireless network, mapping the RF signal information and the security event information based on the correlation therebetween and displaying the result of the mapping.

摘要翻译： 提供了一种用于监视无线网络的安全状态的装置。 该装置包括收集至少一条RF信号信息的射频（RF）信号收集单元; 安全事件信息收集单元，其收集包括交通信息和警报信息中的至少一个的安全事件信息; 安全事件信息映射单元，其基于RF信号信息和安全事件信息之间的相关性来映射RF信号信息和安全事件信息; 以及安全事件信息显示单元，其显示由安全事件信息映射单元执行的映射的结果。 因此，可以允许网络管理员通过从无线网络收集RF信号信息和安全事件信息来直观地识别无线网络的安全状态，基于它们之间的相关性来映射RF信号信息和安全事件信息，以及 显示映射的结果。

公开(公告)号：US20100030892A1

公开(公告)日：2010-02-04

申请号：US12471005

申请日：2009-05-22

申请人： Chi Yoon Jeong ,  Beom Hwan Chang ,  Seon Gyoung Sohn ,  Geon Lyang Kim ,  Jong Hyun Kim ,  Jong Ho Ryu ,  Jung Chan Na ,  Hyun Sook Cho

发明人： Chi Yoon Jeong ,  Beom Hwan Chang ,  Seon Gyoung Sohn ,  Geon Lyang Kim ,  Jong Hyun Kim ,  Jong Ho Ryu ,  Jung Chan Na ,  Hyun Sook Cho

IPC分类号： G06F15/173

CPC分类号： H04L63/1416 ,  H04L63/1441

摘要： Disclosed is a GIS based network information monitoring system that intuitively combines GIS based geographic information with traffic information and a security event, expresses the combined geographic information on a display, and does not need position calibration of network information when the traffic information and the security event are expressed. The GIS based network information monitoring system includes: a geographic information processing module receiving network information from an external network device, containing GIS based geographic information, and creating geographic information corresponding to location information in response to the location information; and a network information processing module mapping the network information to geographic information corresponding to the location information to express the mapped network information, connecting an attack site of a packet causing a security problem, an intermediate site, and a target site using lines, and intuitively expressing the network information by varying the widths and colors of the lines according to the attack type and danger level of the packet.

摘要翻译： 公开了一种基于GIS的网络信息监控系统，其将基于GIS的地理信息与交通信息和安全事件直观结合，在显示器上表示组合的地理信息，并且当交通信息和安全事件不需要网络信息的位置校准 被表达。 基于GIS的网络信息监控系统包括：地理信息处理模块，从外部网络设备接收包含GIS的地理信息的网络信息，并响应于位置信息创建与位置信息对应的地理信息; 以及网络信息处理模块，将网络信息映射到与位置信息对应的地理信息，以表示映射的网络信息，使用线连接引起安全问题的分组的攻击位置，中间站点和目标站点，并且直观地 通过根据分组的攻击类型和危险等级改变线路的宽度和颜色来表达网络信息。