KR101663935B1 - System and method for protecting against phishing and pharming - Google Patents

System and method for protecting against phishing and pharming Download PDF

Info

Publication number
KR101663935B1
KR101663935B1 KR1020160073349A KR20160073349A KR101663935B1 KR 101663935 B1 KR101663935 B1 KR 101663935B1 KR 1020160073349 A KR1020160073349 A KR 1020160073349A KR 20160073349 A KR20160073349 A KR 20160073349A KR 101663935 B1 KR101663935 B1 KR 101663935B1
Authority
KR
South Korea
Prior art keywords
site
user
hash value
access
information
Prior art date
Application number
KR1020160073349A
Other languages
Korean (ko)
Inventor
신남규
신선우
Original Assignee
신남규
신선우
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 신남규, 신선우 filed Critical 신남규
Priority to KR1020160073349A priority Critical patent/KR101663935B1/en
Application granted granted Critical
Publication of KR101663935B1 publication Critical patent/KR101663935B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to a phishing and pharming prevention system and a method thereof. The phishing and pharming prevention system comprises: an agent installed in a user computer; and an external device to perform a phishing and pharming prevention operation by communicating with the agent from outside the user computer. The agent produces a hash value by using an HTML document of a specific site displayed by a web browser of the user computer and transmits the hash value to the external device. Moreover, the agent outputs a harmful website access warning according to a control signal outputted from the external device. When a user attempts to a site through the user computer, the external device monitors whether the access attempt is a normal site access attempt intended by the user and the site accessed by the site access attempt is a normal site or a harmful site. The external device performs at least one from site access prevention, harmful site access warning, and harmful site list registration based on a monitoring result.

Description

FIELD OF THE INVENTION [0001] The present invention relates to phishing and pharming prevention systems,

The present invention relates to a phishing and pharming prevention system and method, and more particularly, to a system and method for preventing phishing and pharming by comparing user's actual input operation information with site access information, Such as malicious programs, such as phishing and pharming.

Recently, phishing and pharming have been used as crimes through the Internet. Among them, phishing is disguised as a mail sent from a website of a financial institution or the like to extract personal identification number, credit card number and account information This is a fraudulent method of illegal use. And when Phamming steals personal information after stealing a user's legally owned domain or by inducing users to connect to a fake site that has misidentified a real site by tampering with the Domain Name System (DNS) or proxy server address A new computer crime trick.

In this case, the pharming is a new Internet fraud method following phishing. Even if the user attempts to access the Internet by correctly inputting the address of the web site to which the user intends to access, the computer of the user infected with the malicious code (or malicious program) It is a crime trick that causes more serious damage by moving traffic and showing the user the fake site.

Moreover, in the case of phishing, the user can easily notice by checking the address information of the access site easily, but in the case of pharming, even if the user carefully looks at the domain address or the URL address, it is easy to cheat. That is, pharming is more likely to be harmed than phishing by easily knowing only the sites that users use and accessing without any suspicion, easily revealing personal IDs, passwords, and financial information.

In order to prevent damage caused by phishing and pharming in the past, a vaccine or a malicious code removal program has been installed in a user's computer. However, only the malicious code (or malicious program) before the update can be detected, In case of infection with malicious code of a new farming site, it was difficult to detect and respond.

BACKGROUND ART [0002] The background art of the present invention is disclosed in Korean Patent No. 10-1244649 (registered on March 13, 2013, Farming Defense Method).

According to an aspect of the present invention, there is provided a method for preventing unauthorized access to a harmful site by comparing user's actual input operation information with site access information, It is an object of the present invention to provide a phishing and pharming prevention system and method that can prevent a computer from being controlled by malicious programs such as phishing and pharming.

According to an aspect of the present invention, there is provided a phishing and pharming prevention system comprising: an agent installed in a user's computer; And an external device communicating with the agent outside the user computer to perform anti-phishing and anti-pharming operations, wherein the agent uses an HTML document of a specific site displayed through a web browser of the user computer, and outputs a hash value to the external device, and outputs a harmful site connection warning on the screen according to a control signal output from the external device. When the external device attempts to access the site through the user computer, Whether the connection attempt is a normal site connection attempt intended by the user and whether the site connected by the site connection attempt is a normal site or a harmful site is monitored and based on the monitoring result, , And registration of the harmful site list Characterized in that for performing.

In the present invention, the external device may be formed so that at least one computer can be connected to the front end or the rear end of the router that allows one Internet line to be shared with the Internet, or is additionally included in the router And the function of the router is simultaneously performed.

In the present invention, the external device may include an input device monitoring unit for monitoring an input operation through an input device including a keyboard and a mouse to determine whether a site connection attempt is a normal site connection attempt intended by the user; And a monitoring unit operating as a control unit in the external device determines that there is a normal connection attempt if there is a user connection attempt for a specific site connection through the input device as a means for preventing a DDos attack, If there is a connection attempt for connection to the specific site without passing through the input device, it is determined that there is an abnormal connection attempt including a DDos attack, and the connection request is blocked and the user is notified.

In the present invention, the input device monitoring unit monitors information input through the input device, and simultaneously transmits the input information to a keyboard port and a mouse port of the user computer.

In the present invention, the external device includes a monitoring unit that monitors whether the site connection attempt is a normal site connection or a harmful site connection due to a normal site connection attempt intended by the user, A hash value generation unit for generating a hash value (first hash value) using an HTML document of a specific site including a government office; A hash value comparing unit for comparing a hash value generated by the hash value generating unit with a hash value (second hash value) generated from an HTML document of a site currently accessed through the agent of the user's computer; A URL inquiry analyzer for inquiring and analyzing whether the URL address of the site to which the connection is attempted is a normal site address or a harmful site address; And a blacklist registration unit for registering the harmful site information in the blacklist DB when the connected specific site is a harmful site.

In the present invention, the monitoring unit of the external device monitors whether or not the agent is forcibly terminated by communicating with the agent at a predetermined cycle. If the agent is forcibly terminated, the monitoring unit monitors Or does not transmit the input information of the input device including the keyboard and the mouse to the user computer, thereby making it impossible to control the user computer.

In the present invention, the external device includes a whitelist DB for managing access information of a specific site including a financial institution and a public office; And a blacklist DB for managing connection information of the harmful sites, wherein the monitoring unit in the external device periodically updates access information managed in the whitelist DB and the blacklist DB by communicating with the management server, And the blacklist DB, the access information managed by the whitelist DB and the blacklist DB is transmitted to the server of the relevant organization through the search word, the keyword, the domain An address, an IP address, and a URL address.

A phishing and pharming prevention method according to another aspect of the present invention is a phishing and pharming prevention method comprising an agent installed in a user's computer and an external device communicating with the agent outside the user's computer to perform phishing and anti- A monitoring unit in the external device monitors whether an input through a keyboard and an input device including a mouse is input or not when the user attempts to access a specific site through the user computer, step; Analyzing the URL address or the IP address of the specific site to which the monitoring unit tries to connect with the information stored in advance in the W / L DB and B / L (Black List) DB; The monitoring unit generates a hash value of the HTML document of the currently connected specific site, compares the hash value (second hash value) with the stored hash value (first hash value) generated in advance from the HTML document of the specific site A hash value analysis step; When the connection to the harmful site is detected in at least one of the monitoring of the input device, the analysis of the address, and the analysis of the hash value, the surveillance part blocks the access to the site, the harmful site connection warning, and the harmful site list And performing at least one operation.

In the present invention, the monitoring unit periodically updates the access information managed in the W / L DB and the B / L DB by communicating with the management server, and transmits information of the false site corresponding to the actual site information to a server The W / L DB manages access information of a specific site including a financial institution and a government office, and the B / L DB accesses the access information of the harmful site And the access information managed in the whitelist DB and the blacklist DB includes at least one of a search word, a keyword, a domain address, an IP address, and a URL address, and the W / L DB and the B / L DB And is used as an authentication means using a smart card of a predetermined type for device authentication at the time of updating.

In the monitoring step, in the monitoring step, the monitoring unit may determine that there is a normal connection attempt if the user attempts to connect to the specific site through the input device, and if the user does not access the specific site It is determined that there is an abnormal connection attempt including a DDos attack. In this case, the connection request is blocked and the user is notified. If the monitoring unit is capable of periodic communication with the agent, The monitoring unit outputs a warning through the built-in alarm unit when the agent is terminated and communication is impossible, or the alarm is output through the built-in alarm unit, Or Does not transfer the input information of the output device to the user's computer it characterized in that it can not control the users' computers.

According to an aspect of the present invention, there is provided a method for controlling a malicious web site by comparing a user's actual input operation information with site access information to block access to a malicious site not intended by a user, .

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is an exemplary diagram showing a schematic configuration of a phishing and pharming prevention system according to a first embodiment of the present invention; FIG.
FIG. 2 is an exemplary diagram showing a schematic configuration of a phishing and pharming prevention system according to a second embodiment of the present invention; FIG.
FIG. 3 is an exemplary view showing a schematic configuration of a phishing and pharming prevention system according to a third embodiment of the present invention; FIG.
4 is a flow chart for explaining a phishing and pharming prevention method according to an embodiment of the present invention;
5 is a flowchart illustrating a method of registering with a management server for updating data of a phishing and anti-pharming apparatus according to an embodiment of the present invention.

Hereinafter, an embodiment of a phishing and pharming prevention system and method according to the present invention will be described with reference to the accompanying drawings.

In this process, the thicknesses of the lines and the sizes of the components shown in the drawings may be exaggerated for clarity and convenience of explanation. In addition, the terms described below are defined in consideration of the functions of the present invention, which may vary depending on the intention or custom of the user, the operator. Therefore, definitions of these terms should be made based on the contents throughout this specification.

FIG. 1 is an exemplary view showing a schematic configuration of a phishing and pharming prevention system according to a first embodiment of the present invention.

1, the phishing and anti-pharming apparatus 300 according to the present embodiment includes a user computer (PC) 100 in which an agent is installed, and at least one computer connected to one Internet line (For example, keyboard or mouse input operation information for use of a computer) with the site access information, and is connected to the front end or the rear end of the router 200, And blocks the connection of the harmful site that the user does not intend based on the comparison result.

As shown in FIG. 1, the phishing and anti-pharming apparatus 300 according to the present embodiment may be implemented as an apparatus 300 connected to the front end or the rear end of the router 200 to operate independently, As in the phishing and pharming prevention apparatuses according to the second and third embodiments shown in FIGS. 2 to 3, the apparatus 200 may be embodied as a device 200 included in the router 200 and performing the network sharing function in parallel It is possible.

1, the phishing and anti-pharming apparatus 300 according to the present embodiment includes a monitoring unit 310 for monitoring whether a normal site connection is a normal site connection or a harmful site connection, a normal site list A white list (W / L) 320, a harmful site list (B / L) 330, and ports 316 and 317 for connecting an input device such as a keyboard and a mouse.

The monitoring unit 310 includes a hash value generating unit 311 for generating a hash value (first hash value) using an HTML code (or an HTML document) of a specific site (e.g., financial institution, The hash value comparison unit 311 compares the hash value generated by the hash value generation unit 311 with the hash value (second hash value) generated from the HTML document of the site currently accessed through the agent 120 of the user PC 100 A URL inquiry analysis unit 313 for inquiring and analyzing whether the URL address of the site to which the connection attempt is made is a normal site (or a real site) address or a harmful site (or a fake site) (B / L) 330 for registering information (for example, an IP address, a domain address, a URL address, etc.) of the site in a harmful site (or a fake site) 314) < / RTI > and the attempt to access the particular site is a normal connection An input device monitoring section 315 for monitoring (such as the keyboard, mouse, for example) in order to check the degree input unit or not.

In other words, the input device monitoring unit 315 monitors whether there is an attempt by the user to access a specific site through an input device (e.g., a keyboard, a mouse). If it is determined that there is a normal connection attempt if the user attempts to access the specific site through the input device, and if there is an access attempt for the specific site connection without going through the input device, DDoS (Distributed Denial of Service) attack).

The information input from the input device (e.g., a keyboard or a mousse) to the input device monitoring unit 315 is directly transmitted to the keyboard port 130 and the mouse port 140 of the user PC 100. Therefore, the user can use the user PC 100 normally as in the conventional case.

For reference, the IP address is an address of a server on the Internet, and is represented by four numbers separated by a period, for example, 123.45.6.78. In addition, the domain address is an address in which the IP address is replaced with an address that can be easily read by a human. For example, a domain of naver.com is replaced with an IP address of 220.95.233.172, For example, http://kin.naver.com/qna/detail.nhm?dlid=1&dirId=106&docId=162743750.

The monitoring unit 310 includes a hash value generating unit 311, a hash value comparing unit 312, a URL inquiry analyzing unit 313, a B / L registering unit 314, and an input device monitoring unit 315 As a kind of a control unit for controlling. That is, the monitoring unit 310 organically and integrally controls the internal constituent units 311 to 315 to detect an abnormal connection attempt even if it is not registered in a harmful site (for example, a harmful site registered in B / L or B / L The site to be accessed, etc.), connection blocking, and connection warning function.

The monitoring unit 310 communicates with the agent 120 installed in the user PC 100 to periodically check whether the agent 120 is forcibly terminated. That is, since the agent 120 is a program resident in the user PC 100, the agent 120 is forcibly terminated due to a conflict with an operating system (OS), an application program installed in the user PC 100, or a malicious code . Therefore, the monitoring unit 310 periodically monitors it.

If the agent 120 is forcibly terminated, the monitoring unit 310 may notify the phishing and anti-pharming apparatus 300 of an alarm (for example, LCD, LED, speaker, buzzer, etc.) (not shown) A warning can be output. Or the monitoring unit 310 does not transmit the input information of the input device (e.g., a keyboard or a mouse) to the user PC 100 so that the user can not control the user PC 100, It is judged that there is an abnormality in the state of the rebooting.

The monitoring unit 310 periodically communicates with the management server 430 and access information (for example, a search word, a search term, Keyword, domain address, IP address, URL address, etc.).

The monitoring unit 310 periodically communicates with the management server 430 and access information (for example, a search word, a keyword, a domain name, and a keyword) of a harmful site Address, IP address, URL address, etc.).

In addition, the monitoring unit 310 analyzes the HTML code of the connected site in real time to block access to a false site that is not a URL address of an actual site (i.e., a normal site) that the user desires to access, (E.g., KISA-KISA) 420 to request interception and add the information of the corresponding fake site to the B / L 330. [

At this time, the management server 430 may manage the black list (B / L) in conjunction with the related monitoring organization (e.g., KISA) 420.

Meanwhile, the agent 120 installed in the user PC 100 generates a hash value using the HTML code of a specific site (e.g., financial institution, government office, etc.) accessed through the web browser 110, To the phishing and pharming prevention apparatus 300 according to the embodiment. In addition, the agent 120 notifies an alert window (e.g., access to a harmful site) on a screen (e.g., a monitor screen, a web browser screen, etc.) according to a control signal output from the phishing and anti- Warning window to display).

As described above, the phishing and anti-pharming apparatus 300 according to the present embodiment is installed in the outside of the user PC 100, not installed in the user PC 100, and can be used for: 1) (2) monitor the HTML of the page displayed when accessing the site and monitor whether the page of the actual site is forged or altered; (3) monitor the input device (eg, keyboard, mouse) The user's personal computer 100 monitors the input information of the DDoS (Distributed Denial of Service) attack, and the user's PC 100 monitors the input information of the DDoS So that it can be prevented from being used.

The above three monitoring operations will be described in more detail.

First, the first surveillance operation is performed by attempting to access a specific site (e.g., a financial institution, a government office, etc.) desired by the user through the user PC 100 (e.g., inputting a keyword through a portal site, The monitoring unit 310 inquires and analyzes the information registered in the W / L DB 320 and the B / L DB 330 (for example, the information of the actual site and the information of the fake site) To monitor information on the actual site (eg, URL address, IP address, domain address, etc.) to access a spoofed or altered spoofed site.

Next, the second monitoring operation is to generate a hash value (first hash value) of the HTML document of the page displayed when the actual site is connected to the inside of the phishing and anti-pharming apparatus 300 according to the present embodiment And stores the hash value (second hash value) of the HTML document of the page displayed in the currently connected site (for example, the site not registered in the B / L) with the agent 120 installed in the user PC 100, And monitors whether a fake site is forged or modified through comparison of two hash values (first and second hash values).

The third monitoring operation is performed in such a manner that the phishing and anti-pharming apparatus 300 according to the present embodiment monitors the input of an input device (e.g., a keyboard and a mouse) connected to the user PC 100, If there is an attempt, this connection attempt monitors whether it is a normal site access attempt according to the user's intention (or intention).

For example, at least one input from a mouse click input, an enter input, a keyword input, a keyword input, a URL address input, and an IP address input in the case of a normal site connection attempt according to the user's intention (or intention). If there is an attempt to access the site without inputting the input device, it can be judged that the access attempt is a malicious program (or a malicious code).

Particularly, the third monitoring operation prevents the user's PC 100 from being used for DDoS (Distributed Denial of Service) attacks.

The Distributed Denial of Service attack is a malicious program capable of flooding a large number of PCs with packets. Distributed Denial of Service (DDoS) attacks are distributed and installed so that they can be transmitted to a user's request Refers to a technique that overflows a data packet for a target system (network) in a situation where there is no connection attempt (connection attempt), causing a performance degradation or system paralysis of the target system (network).

Therefore, in the present embodiment, when a user continuously sends a connection request to a specific IP even though there is no keyboard input or mouse input, a warning message is output to the user by monitoring the packet type, IP address, So that the DDoS attack can be prevented at the source.

FIG. 2 is a view showing a schematic configuration of a phishing and pharming prevention system according to a second embodiment of the present invention, and FIG. 3 shows a schematic configuration of a phishing and pharming prevention system according to a third embodiment of the present invention As an example, the apparatus for preventing phishing and pharming according to the present embodiment may be implemented in the device 200 included in the router 200 to perform the network sharing function in parallel.

Therefore, the basic configuration of the phishing and anti-pharming device according to the second and third embodiments shown in Figs. 2 and 3 is not so different from that described with reference to Fig. Therefore, description of the same components will be omitted for convenience of explanation. But may not include the components 315, 316, and 317 for monitoring an input device (e.g., a keyboard, a mouse) as in the third embodiment.

In this embodiment, it is assumed that the monitoring unit 310 of the phishing and pharming prevention apparatus 300 operates as a control unit and operates the functions of the internal components 311, 312, 313, 314, and 315 in unison .

4 is a flowchart illustrating a method for preventing phishing and pharming according to an embodiment of the present invention.

4, when there is an access attempt (for example, an access attempt through a packet output through a communication network) of a specific site (e.g., a financial institution, a government office, or the like) (YES in S101) , An input through an input device (e.g., a keyboard, a mouse, or the like) (or a site access attempt) (S102).

Also, the monitoring unit 310 may store the URL address or the IP address of the specific site that has attempted connection with information (e.g., a URL address, an IP address, etc.) pre-stored in a W / L (White List) and a B / L (S103).

The monitoring unit 310 also generates a hash value of the HTML document of the connected specific site and generates the hash value from the hash value (second hash value) and the HTML document of the specific site (financial institution, government office, etc.) And compares and analyzes the stored hash value (first hash value) (S104).

It should be noted that although the above three processes (S102, S103, and S104) are illustrated as being sequentially performed in series in the present embodiment, they may be performed as separate processes in parallel according to the embodiment.

Therefore, when connection to the harmful site is detected in at least one of the three processes (S102, S103, and S104), that is, when connection to the normal site is attempted in a normal manner (YES in S105) (S106).

However, if the unsuccessful attempt is made to access a site or a connection attempt is made to a harmful site (or a fake site) that is not a normal site (NO in S105), the monitoring unit 31 displays a screen (e.g., a monitor screen, a web browser screen, (S107) at least one of outputting an alarm window (for example, an alert window indicating that the user has accessed the harmful site), disconnecting the connection, reporting to an affiliated institution, or registering with a B / L.

Meanwhile, as described above, the anti-phishing and anti-pharming apparatus according to the present embodiment stores white lists (W / L) and black list (B / L) data for URL inquiry and analysis in a DB, 430 and performs an update on the data (W / L, B / L). At this time, a symmetric encryption algorithm AES (Advanced Encryption Standard Algorithm) and a public key algorithm elliptic curve cryptography can be used to securely update the data (W / L, B / L).

5 is a flowchart illustrating a method of registering with a management server for updating data of a phishing and pharming prevention apparatus according to an embodiment of the present invention.

5, the monitoring unit 310 of the device acting as the control unit generates an ECC (Elliptic Curve Cryptography) key pair (S201) and transmits the encrypted key to the device (phishing and pharming prevention Device) 300 and transmits the encrypted public key and the serial number to the management server 430 (S202).

The management server 430 decrypts the public key and the serial number of the device using the secret key of the server and stores the decrypted public key and the secret number in the server (S203). Then, the management server 430 uses the public key of the device, And transmits the digital signature of the server to the device 300 (S204).

Accordingly, the device 300 (actually, the monitoring unit of the device) decrypts the digital signature of the server using the secret key of the device and stores it therein (S205).

The device 300 is registered in the management server 430 through the above process and the digital signature of the server stored in the device 300 is used as a component of the device digital signature to be used in device authentication for data update do.

Although not shown in the drawing, when the device is registered in the management server 430 as described above, the monitoring unit 310 monitors the digital signature of the device (e.g., serial of the device) to update the data (W / L, B / L) And the digital signature of the device generated by using the digital signature of the server) to the management server 430. After the management server 430 verifies the data, the data W / L and B / L to the device 300. The device 300 (actually, the monitoring unit of the device) decrypts the received update data using the secret key of the device, DB, and B / L DB) 320 and 330, respectively.

As described above, the management server 430 updates the W / L and B / L data and the packet analysis program to be performed by the device, and transmits the device (phishing and anti-pharming device) information (unique number, firmware version, , B / L version, etc.). In addition, when the data (W / L, B / L) is updated, it may be used as an authentication means using a smart card (for example, USIM format)

As described above, this embodiment compares the actual input operation information of the user for the site connection with the site access information, thereby blocking the connection of the harmful site that the user does not intend to allow the user computer to control by malicious programs such as phishing and pharming And also prevents the user's PC from being used in a distributed denial of service (DDoS) attack.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, I will understand the point. Accordingly, the technical scope of the present invention should be defined by the following claims.

100: user PC 110: web browser
120: Agent 130: keyboard port
140: mouse port 200: router
300: Phishing and pharming prevention apparatus 310: Monitoring section
311: hash value generating unit 312: hash value comparing unit
313: URL inquiry analyzing unit 314: B / L registration unit
315: input device monitoring section 316: keyboard port
317: Mouse port 320: W / L DB
330: B / L DB 410: financial institution site
420: KISA site 430: management server

Claims (10)

An agent installed on the user's computer; And
And an external device communicating with the agent outside the user computer to perform phishing and anti-pharming operations,
The agent generates a hash value using an HTML document of a specific site displayed through a web browser of the user computer and transmits the generated hash value to the external device, On the screen,
The external device monitors whether the connection attempt is a normal site connection attempt intended by the user and whether the site connected by the site connection attempt is a normal site or a harmful site when the user attempts to access the site through the user computer And performs at least one of a site access blocking, a harmful site access warning, and a harmful site list registration based on the monitoring result,
Wherein the external device includes an input device monitoring unit for monitoring an input operation through an input device including a keyboard and a mouse to determine whether a site connection attempt is a normal site connection attempt intended by the user; And a monitoring unit operating as a control unit,
Wherein,
A DDoS (Distributed Denial of Service) attack is detected if there is an attempt to connect to a specific site through the input device, and if there is an attempt to access the specific site without going through the input device And the user is notified of the connection request and informs the user of the connection request.
The apparatus according to claim 1,
At least one computer may be connected to a front end or a rear end of a router that shares one Internet line and is capable of accessing the Internet at the same time, or may be additionally provided inside the router so as to perform functions of the router at the same time Wherein the phishing and pharming prevention system comprises:
delete The apparatus according to claim 1,
Wherein the information input through the input device is monitored while simultaneously transmitting the input information to a keyboard port and a mouse port of the user computer.
The apparatus according to claim 1,
A hash value generation unit that generates a hash value (first hash value) using an HTML document of a specific site including a financial institution and a government office;
A hash value comparing unit for comparing a hash value generated by the hash value generating unit with a hash value (second hash value) generated from an HTML document of a site currently accessed through the agent of the user's computer;
A URL inquiry analyzer for inquiring and analyzing whether the URL address of the site to which the connection is attempted is a normal site address or a harmful site address; And
And a blacklist registering unit for registering the harmful site information in the blacklist DB when the connected specific site is a harmful site.
The apparatus according to claim 1,
Communicating with the agent at a predetermined period to monitor whether the agent is forcibly terminated,
If the agent is forcibly terminated, the monitoring unit outputs a warning by itself through built-in alarm means or controls the user's computer by not transmitting input information of an input device including a keyboard and a mouse to the user computer Phishing and anti-pharming system.
The apparatus according to claim 1,
A whitelist DB for managing access information of a specific site including financial institutions and government offices; And a blacklist DB for managing access information of the harmful sites,
The monitoring unit in the external device communicates with the management server to periodically update the access information managed in the whitelist DB and the blacklist DB, and communicates the information of the false site corresponding to the actual site information to the server of the related organization, Request the blacklist DB to block access to the site registered in the blacklist DB,
The access information managed in the white list DB and the black list DB is,
A search keyword, a keyword, a domain address, an IP address, and a URL address.
A phishing and pharming prevention method using a phishing and pharming prevention system configured by an agent installed in a user's computer and an external device communicating with the agent outside the user's computer to perform a phishing and anti-pharming operation,
An input device monitoring step of monitoring, when there is an attempt to access a specific site through the user computer, whether the monitoring part in the external device has input through an input device including a keyboard and a mouse;
Analyzing the URL address or the IP address of the specific site to which the monitoring unit tries to connect with the information stored in advance in the W / L DB and B / L (Black List) DB;
The monitoring unit generates a hash value of the HTML document of the currently connected specific site, compares the hash value (second hash value) with the stored hash value (first hash value) generated in advance from the HTML document of the specific site A hash value analysis step; And
When the connection to the harmful site is detected in at least one of the monitoring of the input device, the analysis of the address, and the analysis of the hash value, the surveillance part blocks the access to the site, the harmful site connection warning, and the harmful site list And performing at least one of the steps of: < RTI ID = 0.0 > - < / RTI >
9. The apparatus according to claim 8,
Communicates with the management server to periodically update the access information managed in the W / L DB and the B / L DB, and communicates information of the fake site corresponding to the actual site information to the server of the related institution, Request to block access to the site,
The W / L DB manages access information of a specific site including a financial institution and a government office. The B / L DB manages access information of a harmful site,
The access information managed in the whitelist DB and the blacklist DB includes at least one of a search word, a keyword, a domain address, an IP address, and a URL address,
Wherein the smart card is used as an authentication means using a smart card of a predetermined type for device authentication when updating the W / L DB and the B / L DB.
9. The method of claim 8,
In the monitoring step, the monitoring unit determines that there is a normal access attempt if the user attempts to access the specific site through the input device, and if there is an access attempt for the specific site access without going through the input device It is determined that there is an abnormal connection attempt including the DDos attack. In this case, the connection request is blocked and the user is notified,
The monitoring unit monitors the information input through the input device when the periodic communication with the agent is possible, while simultaneously transmitting the input information to the keyboard port and the mouse port of the user computer,
The monitoring unit may output a warning by itself through the built-in alarm unit when the agent is terminated due to the termination of the agent, or may not transmit the input information of the input apparatus to the user computer, Characterized in that the phishing and pharming prevention methods are provided.
KR1020160073349A 2016-06-13 2016-06-13 System and method for protecting against phishing and pharming KR101663935B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160073349A KR101663935B1 (en) 2016-06-13 2016-06-13 System and method for protecting against phishing and pharming

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020160073349A KR101663935B1 (en) 2016-06-13 2016-06-13 System and method for protecting against phishing and pharming

Publications (1)

Publication Number Publication Date
KR101663935B1 true KR101663935B1 (en) 2016-10-07

Family

ID=57145401

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160073349A KR101663935B1 (en) 2016-06-13 2016-06-13 System and method for protecting against phishing and pharming

Country Status (1)

Country Link
KR (1) KR101663935B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114844678A (en) * 2022-04-07 2022-08-02 南京邮电大学 Browser security query method based on privacy protection
WO2024049148A1 (en) * 2022-09-01 2024-03-07 숭실대학교 산학협력단 Phishing attack prevention method, and recording media and devices for performing same

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20090053426A (en) * 2007-11-23 2009-05-27 주식회사 가자아이 Method and system for for blocking harmful internet site
KR100912794B1 (en) * 2008-11-18 2009-08-18 주식회사 나우콤 Web hacking management system and manegement method thereof for real time web server hacking analysis and homepage hacking search
KR20160027842A (en) * 2014-09-02 2016-03-10 주식회사 케이티 Method for detecting harmful dns and spoofing site, and security system thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20090053426A (en) * 2007-11-23 2009-05-27 주식회사 가자아이 Method and system for for blocking harmful internet site
KR100912794B1 (en) * 2008-11-18 2009-08-18 주식회사 나우콤 Web hacking management system and manegement method thereof for real time web server hacking analysis and homepage hacking search
KR20160027842A (en) * 2014-09-02 2016-03-10 주식회사 케이티 Method for detecting harmful dns and spoofing site, and security system thereof

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114844678A (en) * 2022-04-07 2022-08-02 南京邮电大学 Browser security query method based on privacy protection
WO2024049148A1 (en) * 2022-09-01 2024-03-07 숭실대학교 산학협력단 Phishing attack prevention method, and recording media and devices for performing same

Similar Documents

Publication Publication Date Title
US10841334B2 (en) Secure notification on networked devices
US11310190B2 (en) Network anti-tampering system
US9979726B2 (en) System and method for web application security
US8661252B2 (en) Secure network address provisioning
US20160036849A1 (en) Method, Apparatus and System for Detecting and Disabling Computer Disruptive Technologies
US20140020067A1 (en) Apparatus and method for controlling traffic based on captcha
KR100835820B1 (en) Total internet security system and method the same
Biju et al. Cyber attacks and its different types
US20100031041A1 (en) Method and system for securing internet communication from hacking attacks
EP3367629B1 (en) Electronic device verification
KR20080020584A (en) Intelligent network interface controller
EP2203860A2 (en) System and method for detecting security defects in applications
US20210112093A1 (en) Measuring address resolution protocol spoofing success
KR101663935B1 (en) System and method for protecting against phishing and pharming
US20150172310A1 (en) Method and system to identify key logging activities
KR101494329B1 (en) System and Method for detecting malignant process
Tsow Phishing with Consumer Electronics-Malicious Home Routers.
Wozak et al. End-to-end security in telemedical networks–a practical guideline
KR20190083498A (en) packet filtering system for preventing DDoS attack
Orucho et al. Security threats affecting user-data on transit in mobile banking applications: A review
KR101639428B1 (en) System for uni direction protocol control on board
Bilski New challenges in network security
Selvaraj et al. Security Vulnerabilities, Threats, and Attacks in IoT and Big Data: Challenges and Solutions
Uddholm Anonymous Javascript Cryptography and CoverTraffic in Whistleblowing Applications
Prabhu et al. Safeguarding Information Systems: An Analysis of Security Flaws, Attacks, and Techniques

Legal Events

Date Code Title Description
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20190926

Year of fee payment: 4