公开(公告)号：US20140298399A1

公开(公告)日：2014-10-02

申请号：US13927794

申请日：2013-06-26

Applicant: Electronics and Telecommunications Research Institute

Inventor： Youngjun HEO ,  Seon-Gyoung SOHN ,  Dong Ho KANG ,  Byoung-Koo KIM ,  Jung-Chan NA ,  Ik Kyun KIM

IPC: H04L29/06

CPC classification number: H04L63/1416

Abstract: An apparatus for detecting an abnormality sign in a control system, the control system comprising control equipments, network equipments, security equipments or server equipments, the apparatus includes an information collection module configured to collect system information, network information, security event information or transaction information in interworking with a control equipments, network equipments, security equipments or server equipments. The apparatus includes storage module that stores the information collected by the information collection module. The apparatus includes an abnormality detection module configured to analyze a correlation between the collected information and a prescribed security policy to detect whether there is an abnormality sign in the control system.

Abstract translation: 一种用于检测控制系统中的异常信号的装置，所述控制系统包括控制设备，网络设备，安全设备或服务器设备，所述设备包括：信息收集模块，用于收集系统信息，网络信息，安全事件信息或交易信息 与控制设备，网络设备，安全设备或服务器设备相互配合。 该装置包括存储由信息收集模块收集的信息的存储模块。 该装置包括：异常检测模块，被配置为分析所收集的信息与规定的安全策略之间的相关性，以检测控制系统中是否存在异常信号。

公开(公告)号：US20160277547A1

公开(公告)日：2016-09-22

申请号：US15069831

申请日：2016-03-14

Applicant: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE

Inventor： Byoung-Koo KIM ,  Dong Ho KANG ,  Jung-Chan NA ,  Seon-Gyoung SOHN ,  Youngjun HEO

IPC: H04L29/06

CPC classification number: H04L43/18 ,  H04L43/028 ,  H04L63/1425

Abstract: Provided is a packet monitoring method for a communication packet transmitted and received between a server and a control device including receiving the communication packet transmitted and received between the server and the control device; determining whether the received communication packet is abnormal, based on a history table including control information on communication packets received before the received communication packet and control information on the received communication packet; and performing a security operation according to results of the determination.

Abstract translation: 提供了一种用于在服务器和控制设备之间发送和接收的通信分组的分组监视方法，包括：接收在服务器和控制设备之间发送和接收的通信分组; 基于包括在接收到的通信分组之前接收的通信分组的控制信息的历史表和关于所接收的通信分组的控制信息，确定接收到的通信分组是否异常; 以及根据确定的结果执行安全操作。

公开(公告)号：US20140297004A1

公开(公告)日：2014-10-02

申请号：US13933822

申请日：2013-07-02

Applicant: Electronics and Telecommunications Research Institute

Inventor： Byoung-Koo KIM ,  Dong Ho KANG ,  Seon-Gyoung SOHN ,  Youngjun HEO ,  Jung-Chan NA ,  Ik Kyun KIM

IPC: G05B15/02

CPC classification number: G05B15/02 ,  H04L63/0263 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/20 ,  H04L2012/40228

Abstract: A method for detecting an abnormal traffic on a control system protocol, includes: checking whether session information exists in a management table; adding a new entry to the management table; checking whether a transaction ID in a table entry is the same as that of the received MODBUS request message; and checking whether data and length thereof of the received MODBUS request message are the same as those in the table entry. Further, the method includes detecting an abnormal traffic; and updating the table entry with packet information of the MODBUS request message.

Abstract translation: 一种用于检测控制系统协议上的异常业务的方法，包括：检查会话信息是否存在于管理表中; 在管理表中添加新条目; 检查表条目中的事务ID是否与接收的MODBUS请求消息的事务ID相同; 并检查其接收到的MODBUS请求消息的数据和长度是否与表条目中的相同。 此外，该方法包括检测异常业务; 以及使用所述MODBUS请求消息的分组信息更新所述表条目。

公开(公告)号：US20130160074A1

公开(公告)日：2013-06-20

申请号：US13714362

申请日：2012-12-13

Applicant: Electronics and Telecommunications Research Institute

Inventor： Dong Ho KANG

IPC: G06F21/00

CPC classification number: G06F21/00 ,  G06F21/554

Abstract: An apparatus for analyzing rule-based security event association includes a rule management unit to check whether an security event is a candidate security event requiring association analysis, and an event management unit to analyze the candidate security event and check whether the analyzed security event is the candidate security event requiring association analysis. An association processing unit analyzes whether an association event of a rule DB corresponding to a user ID of the candidate security event is matched with a user event list to generate an association analysis result.

Abstract translation: 用于分析基于规则的安全事件关联的装置包括：规则管理单元，用于检查安全事件是否是需要关联分析的候选安全事件;以及事件管理单元，用于分析候选安全事件并检查分析的安全事件是否为 候选安全事件需要关联分析。 关联处理单元分析与候选安全事件的用户ID相对应的规则DB的关联事件是否与用户事件列表匹配以生成关联分析结果。

公开(公告)号：US20150341380A1

公开(公告)日：2015-11-26

申请号：US14667137

申请日：2015-03-24

Applicant: Electronics and Telecommunications Research Institute

Inventor： Young Jun HEO ,  Seon Gyoung SOHN ,  Byoung Koo KIM ,  Dong Ho KANG ,  Jung Chan NA

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/1425 ,  H04L63/1458 ,  H04L69/22

Abstract: Provided are a system and method for detecting an abnormal behavior of a control system by analyzing flows of the control system. Flow information of the control network is collected, and flows are classified according to the collected flow information and a flow group is generated. An abnormal behavior of the control system is detected by analyzing flows of the generate flow group. That is, internal systems of the control network are grouped according to functions, and a situation of a system of a group performing the same function is managed to thus quickly detect an abnormal behavior of the control system.

Abstract translation: 提供了一种通过分析控制系统的流程来检测控制系统的异常行为的系统和方法。 收集控制网络的流量信息，根据收集的流量信息对流量进行分类，生成流量组。 通过分析生成流组的流量来检测控制系统的异常行为。 也就是说，控制网络的内部系统根据功能进行分组，并且管理执行相同功能的组的系统的情况，从而快速检测控制系统的异常行为。

公开(公告)号：US20150381642A1

公开(公告)日：2015-12-31

申请号：US14699449

申请日：2015-04-29

Applicant: Electronics and Telecommunications Research Institute

Inventor： Byoung Koo KIM ,  Dong Ho KANG ,  Jung Chan NA ,  Seon Gyoung SOHN ,  Young Jun HEO

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L12/40 ,  H04L41/142 ,  H04L43/026 ,  H04L67/12 ,  H04L69/16 ,  H04L69/329 ,  H04L2012/40228

Abstract: An abnormal traffic detection apparatus and method based on Modbus communication pattern learning is provided. The abnormal traffic detection apparatus based on the Modbus communication pattern learning previously detects and responds to abnormal traffic on a Modbus/TCP protocol. According to the present invention, a communication service between control systems can be stably provided by previously detecting the abnormal traffic capable of interfering with a stable operation of the control system. Particularly, since the effective abnormal traffic on the Modbus/TCP protocol can be previously detected, security of the control system can be increased by rapid detection and response with respect to security threats on the Intranet of the control system, and availability can be secured.

Abstract translation: 提供了基于Modbus通信模式学习的异常流量检测装置和方法。 基于Modbus通信模式学习的异常流量检测装置可以检测并响应Modbus / TCP协议上的异常流量。 根据本发明，通过预先检测能够干扰控制系统的稳定运行的异常通信，可以稳定地提供控制系统之间的通信服务。 特别是，由于可以先检测到Modbus / TCP协议上的有效异常流量，因此可以通过对控制系统的内联网上的安全威胁的快速检测和响应来提高控制系统的安全性，并且可以确保可用性。