KR101564518B1 - Method and apparatus for automatically creating rule for network traffic dection - Google Patents

Abstract

The present invention relates to a method and an apparatus for automatically creating a rule for a network traffic detection, which can automatically detect a network traffic by using a sequential pattern algorithm. The method for automatically creating a rule according to one embodiment of the present invention may include the steps of: collecting traffic including a packet; configuring a flow by grouping a plurality of packets included in the traffic; configuring a sequence by extracting an identifier and a payload from the flow; creating a content group ( ) having a length of k by using a content combination belonging to a content group ( ) having a length of k-1 and thereby, extracting a candidate content (herein, the k means a natural number of 2 or higher, a content group (L1) having a length of 1 is extracted from the configured sequence); extracting a final content by considering an inclusive relationship of the candidate contents; and creating a rule by using the extracted final content.

Description

[0001] METHOD AND APPARATUS FOR AUTOMATICALLY CREATING RULE FOR NETWORK TRAFFIC DECTION [0002]

BACKGROUND OF THE INVENTION 1. Field of the Invention [0001] The present invention relates to a method and apparatus for automatically generating rules for detecting network traffic, and more particularly, to a method and apparatus for generating rules for detecting network traffic that automatically detects network traffic using a sequential pattern algorithm.

The goal of network management is to take full advantage of network resources and protect network equipment from anomalous attacks. To this end, network administrators establish appropriate network policies and apply them to the network to be managed. Since the network policy is performed by blocking specific traffic or adjusting the bandwidth, traffic analysis should be performed to find the origin of traffic.

The traffic analysis is to identify applications that generate traffic using unique characteristics (signatures, rules) that represent the application, and the analysis results can be used not only for network policy, but also for capacity planning, network provisioning, traffic engineering, It is used in various fields. A related prior art document is Korean Patent No. 10-1156008.

Snort is a commonly used traffic detection engine. It is a very common tool in the field of network traffic that a commercial company can use Snort engine to develop traffic analysis and detection equipment. Snort uses predefined rules (Rule) to detect the corresponding packet and to perform the action defined in the rule. The rules are applied on a per-packet basis, and use header information (IP address, port, protocol), statistical information (packet size), and payload information (content, pcre, offset).

Generally, in order to generate a rule, we performed a total number of traffic analysis to find common characteristics observed only in the corresponding traffic.

However, this method has a limitation that the rule generation time is long and the accuracy of the generated rule is variable according to the ability of the extracting person.

Therefore, there is a need for research on techniques for quickly generating rules for network detection, not manual.

SUMMARY OF THE INVENTION It is an object of the present invention to provide a method and apparatus for automatic generation of a rule that can automatically generate a rapid and collective network traffic detection rule.

It is an object of the present invention to provide a method and apparatus for generating a rule for network traffic detection that automatically detects network traffic using a sequential pattern algorithm.

)에 속하는 컨텐트의 조합을 이용하여 길이가 k인 컨텐트 집합(

)을 생성하여 후보 컨텐트를 추출하는 단계- 상기 k는 2이상의 자연수이고, 길이가 1인 컨텐트 집합(L₁)은 상기 구성된 시퀀스에서 추출됨-; 상기 후보 컨텐트 간의 포함관계를 고려하여 최종 컨텐트를 추출하는 단계; 및 상기 추출된 최종 컨텐트를 이용하여 규칙을 생성하는 단계를 포함하는 규칙 자동 생성 방법이 개시된다.According to an aspect of the present invention, there is provided a method for controlling a network, the method comprising: collecting traffic including a packet; Grouping a plurality of packets included in the traffic to form a flow; Extracting an identifier and a payload in the flow to construct a sequence; And a content set of length k-1 (

), A content set having a length k (" k "

), And extracting candidate content, wherein k is a natural number greater than or equal to 2, and a content set (L ₁ ) of length ₁ is extracted from the configured sequence; Extracting a final content by considering the inclusion relation between the candidate contents; And generating a rule using the extracted final content.

)에 속하는 컨텐트의 조합을 이용하여 길이가 k인 컨텐트 집합(

)을 생성하여 후보 컨텐트를 추출하고, 상기 후보 컨텐트 간의 포함관계를 고려하여 길이가 최종 컨텐트로 추출하는 컨텐트 추출부- 상기 k는 2이상의 자연수이고, 길이가 1인 컨텐트 집합(L₁)은 상기 구성된 시퀀스에서 추출됨-; 상기 추출된 최종 컨텐트를 이용하여 규칙을 생성하는 규칙 생성부; 상기 수집부, 상기 플로우 구성부, 상기 시퀀스 구성부, 상기 컨텐트 추출부 및 상기 규칙 생성부를 제어하는 제어부를 포함하는 규칙 자동 생성 장치가 개시된다.According to an aspect of the present invention, there is provided a communication system including: a collecting unit collecting traffic including a packet; A flow configuring unit for grouping a plurality of packets included in the traffic to form a flow; A sequence constructing unit for extracting an identifier and a payload from the flow to construct a sequence; And a content set of length k-1 (

), A content set having a length k (" k "

A content extracting unit for extracting a candidate content from the candidate content and extracting the length as a final content in consideration of a content relation between the candidate content, wherein the k is a natural number of 2 or more, and the content set (L ₁ ) Extracted from the configured sequence; A rule generator for generating a rule using the extracted final content; A rule automatic generation device is disclosed that includes a control unit that controls the collection unit, the flow configuration unit, the sequence configuration unit, the content extraction unit, and the rule generation unit.

The automatic rule generation method and apparatus for detecting network traffic according to an embodiment of the present invention can automatically generate network traffic detection rules automatically without depending on the manual operation of the administrator.

According to an embodiment of the present invention, a network traffic detection rule can be generated without a preprocessor or a post-process.

1 is a block diagram illustrating an automatic rule generation device according to an embodiment of the present invention.
2 is a flow chart illustrating a method for automatically generating a rule in accordance with an embodiment of the present invention.
Figure 3 shows a content extraction algorithm in accordance with an embodiment of the present invention.
Figure 4 illustrates a candidate content algorithm associated with an embodiment of the present invention.
FIG. 5 shows an example of a process of performing the algorithm of FIGS.
6 shows an example of a rule generated using only content information related to an embodiment of the present invention.
FIG. 7 shows an example of a rule generated using content information and additional information according to an embodiment of the present invention.
Figure 8 shows a content location analysis algorithm in accordance with an embodiment of the present invention.
FIG. 9 shows an example of the snort content rule generated through the automatic rule generation method according to an embodiment of the present invention.

Hereinafter, a method and apparatus for automatically generating a rule for detecting network traffic according to an embodiment of the present invention will be described with reference to the drawings.

As used herein, the singular forms "a", "an" and "the" include plural referents unless the context clearly dictates otherwise. In this specification, the terms "comprising ", or" comprising ", etc. should not be construed as necessarily including the various elements or steps described in the specification, Or may be further comprised of additional components or steps.

In the following, we will describe network traffic detection as Snort content rule as an example of network detection rule. Snort is a commonly used traffic detection engine. It is a very common tool in the field of network traffic that a commercial company can use Snort engine to develop traffic analysis and detection equipment. Snort uses predefined rules (Rule) to detect the corresponding packet and to perform the action defined in the rule. The rules are applied on a per-packet basis, and use header information (IP address, port, protocol), statistical information (packet size), and payload information (content, pcre, offset).

1 is a block diagram illustrating an automatic rule generation device according to an embodiment of the present invention.

The automatic rule generating apparatus 100 includes a collecting unit 110, a flow generating unit 120, a sequence generating unit 130, a content extracting unit 140, a rule generating unit 150, a storage unit 160, a transmission unit 170, and a control unit 180.

The collecting unit 110 can collect the analysis target application and the service or the traffic in which the malicious code is generated for each initial host. The traffic is based on a packet.

The flow configuration unit 120 may configure collected packet aggregation traffic as a flow.

Hereinafter, the flow in the embodiment is a set of packets having the same 5-tuple (source IP, source port, Destination IP, Destination port, Protocol).

The sequence generator 130 may combine packets having the same transmission direction in a single flow to form one sequence. For example, the sequence constructing unit 130 may construct a sequence by combining only the payload among the constituent elements of the packet.

A sequence can be used as an input to a sequential pattern algorithm for extracting content.

The content extracting unit 140 may extract the content to be applied to the rule using the sequential pattern algorithm. The sequential pattern algorithm searches for candidate content by increasing the length starting from the candidate content of length 1 in the input sequence and finally extracts content with a certain level of support. In this specification, the content length means the byte size of the corresponding content.

The rule generation unit 150 may generate a network detection rule using the content extracted by the content extraction unit 140. [ If only content is used as a rule, the possibility of false positives (detection of non-detection traffic) is high, so that the rule generator 150 can analyze additional information and describe the information in the rule. For example, the additional information may include header information and location information of content.

The storage unit 160 may store the generated rules.

The transmission unit 170 may provide the stored rules to the specific server.

The control unit 180 includes a collecting unit 110, a flow generating unit 120, a sequence generating unit 130, a content extracting unit 140, a rule generating unit 150, a storage unit 160, Can be controlled as a whole.

2 is a flow chart illustrating a method for automatically generating a rule in accordance with an embodiment of the present invention.

The collecting unit 110 may collect traffic based on the determined detection target (S210). Traffic collection is the first step in creating rules. Detection targets can vary widely depending on network management objectives such as application, service, attack, and malicious code. The collecting unit 110 collects traffic directly from a host that generates traffic, uses a collecting tool such as wireshark and tcpdump, collects traffic using a switching function or a tap device can do.

The following equations (1) and (2) show the types of collected packets.

A PacketSet is a set of packets, and a single packet P consists of a host ID, a source IP address, a source port, a Layer 4 protocol, a destination IP address, a destination port, and a payload. Particularly, the payload is composed of consecutive characters. In this embodiment, the automatically generated content means a partial string of the payload.

Since traffic collection for rule generation requires only the traffic to be detected, collecting traffic from individual hosts can be recommended in terms of improving the accuracy of generated rules.

Meanwhile, the support used in the embodiment of the present invention is based on the host that generated the input traffic, so the traffic should be collected from at least two hosts. However, collecting traffic from multiple hosts in an actual traffic collection environment is cumbersome and impossible. Therefore, it is also possible to divide traffic collected from the same host into multiple files and calculate the support based on the input file instead of the host basis can do. In other words, it may change depending on the environment of traffic collection as a criterion for calculating the support score. A detailed description will be given later.

The flow configuration unit 120 may configure the collected packet aggregation traffic as a flow (S220). The flow used in this embodiment is a set of packets having the same 5-tuple (Source IP, Source Port, Destination IP, Destination port, Protocol) as in Equations (3) and (4).

Meanwhile, according to an embodiment of the present invention, a flow in which a source side and a destination side are symmetric can be configured as a flow, and a forward direction and a backward direction can be written in each packet set. That is, the flow defined in an embodiment of the present invention may be a bidirectional flow in which 5-tuple includes the same packet set and a symmetric packet set.

The reason for constructing a packet as a flow is that, although snort is applied to a packet unit, a single message is divided into several packets (packet fragmentation) due to the characteristics of the network. Therefore, by dividing the packets constituting a single flow by the transmission direction and combining the payload, the actual transmitted payload message can be confirmed without interrupting the message.

The sequence constructing unit 130 may extract a payload of packets divided into a forward and a backward flow to generate a sequence (S230). If the flow is composed of two-way communication packets, two sequences are generated and if one-way communication traffic, one sequence is generated.

Equations (5) and (6) are mathematical expressions representing sequences.

로 구성될 수 있다.The SequenceSet is composed of several sequences (S) as shown in Equation (5), and one sequence is composed of a host ID and a string

≪ / RTI >

The sequence constructing unit 130 may write the host ID into the sequence configured as shown in Equations (5) and (6). This can be used for support calculations as described below. If the support calculation is calculated on the basis of a file, the sequence constructing unit 130 can write the file ID.

The content extracting unit 140 may receive the sequence set and the minimum support and extract a content satisfying the minimum support (S240).

FIG. 3 illustrates a content extraction algorithm in accordance with an embodiment of the present invention, and FIG. 4 illustrates a candidate content algorithm associated with an embodiment of the present invention. The algorithm of FIG. 3 and the algorithm of FIG. 4 are sequential pattern algorithms, and show a method of outputting a set of content satisfying a predetermined minimum support from an input sequence set.

The following Equations (7) and (8) represent extracted contents.

에 저장한다(도 3 알고리즘 Line: 1~5). 컨텐트 추출부(140)는 길이 1인 content를 시작으로 길이를 1씩 늘려가며 모든 길이의 content를 추출하여 자신의 길이 content 집합

에 저장한다(도 3 알고리즘 Line: 6~20). 단, 컨텐트 추출부(140)는 새로 생성된 집합

의 모든 content 중, 입력받은 최소 지지도를 만족하지 않는 content는 삭제한다(도 3 알고리즘 Line: 8~17). 최소 지지도를 만족하지 못하는 content는 content 추출 자격을 만족하지 못할 뿐만 아니라 해당 content를 확장한 content에서도 최소 지지도를 만족하지 않기 때문이다.Referring to FIG. 3, the content extracting unit 140 extracts content having a length of 1 from all sequences of the input sequence set,

(Fig. 3 Algorithm Line: 1 to 5). The content extracting unit 140 extracts contents of all lengths by incrementing the length by 1, starting from content having a length of 1,

(Fig. 3 Algorithm Line: 6 to 20). However, the content extracting unit 140 extracts a newly created set

The content that does not satisfy the inputted minimum support is deleted (Algorithm Line 3 of FIG. 3). Content that does not meet the minimum support not only fails to satisfy the content extraction eligibility, but also does not meet the minimum support for the content that extends the content.

Equation (9) is a formula for calculating the degree of support.

In the algorithm of FIG. 3, the support of the content can be measured by the ratio of hosts that generate the corresponding content among the total number of hosts as shown in Equation (9) (FIG. 3 Algorithm Line: 9-13). For example, if a particular content is observed in traffic originating from all hosts, the acceptance is less than 1, otherwise it is less than 1.

의 content는 집합

을 생성하는 데 사용될 수 있다(도 3 알고리즘 Line: 18).If traffic collected from a single host in a limited traffic collection environment is applied to this algorithm, the host-based support calculation can be changed to a file or flow reference. If the content that does not meet the minimum support is deleted

The content of the set

(Figure 3 Algorithm Line: 18).

의 content들을 비교하여 집합

의 content를 생성할 수 있다. 집합

의 content를 조합하여 집합

의 content를 생성하는 것은 첫 문자를 제외한 길이 k-2 content와 마지막 문자를 제외한 길이 k-2 content가 동일한 집합

의 content들끼리 가능하다(도 4 알고리즘 Line: 1~7).The method used at this time is the method described in the algorithm of Fig. The content extracting unit 140 extracts a content

The content of

Can be generated. set

The content of

The length of the content except for the first character k-2 content and the length of the last character except k-2 content

(Fig. 4 Algorithm Line: 1 to 7).

의 content인 "abcd"와 "bcde"는 "a"를 제외한 "bcd"와 'e'를 제외한 "bcd"가 같기 때문에 집합

의 content "abcde"를 생성할 수 있다. For example, the content extracting unit 140 may extract

Bcd "except for" a "and" bcd "except for" e "are the same, so" abcd "and" bcde "

The content "abcde"

Increase the length by 1 in this manner and repeat the content extraction and content deletion until the new content is no longer extracted. As a final step of the extraction, the contents of all extracted lengths are checked, and if the content in the inclusion relation is found, the corresponding content is deleted from the set (Fig. 3 Algorithm Line: 22). The content extracting unit 140 may transmit the finally generated content set to the next rule creating step.

FIG. 5 shows an example of a process of performing the algorithm of FIGS.

In the example of FIG. 5, a SequenceSet configured with traffic generated from three hosts and a minimum support of 0.6 are input. A SequenceSet consists of four sequences. A minimum support of 0.6 means that the total number of hosts is 3, so the content should be observed for traffic from at least two hosts.

,

,

) 모두 최소 지지도 0.6을 만족하기 때문에 길이 2 content 생성에 사용된다. 길이 2 content 생성 후, 최소 지지도를 계산하고 만족하지 못하는 content들은 삭제한다. 컨텐트 추출부(140)는 최소 지지도를 만족하는 길이 2 content(

,

)를 사용하여 길이 3 content를 추출한다. 최소 지지도를 만족하는 길이 3 content의 개수가 1이기 때문에 더 이상 content의 길이를 늘리는 것은 불가능하다. 따라서 컨텐트 추출부(140)는 content 추출을 종료한다. 추출 종료 후, 포함관계가 있는

,

,

는 contentSet에서 삭제되고 최종적으로

가 다음 단계인 규칙 생성 단계로 전달될 수 있다.When the algorithm of FIG. 3 and FIG. 4 is performed, all contents of length 1 are extracted. Content of length 1 (

,

,

) Are both used to generate length 2 content since they satisfy the minimum support of 0.6. After generating length 2 content, calculate the minimum support and delete content that is not satisfactory. The content extracting unit 140 extracts a content having a length 2 content (

,

) To extract length 3 content. It is impossible to increase the length of the content any more because the number of 3 contents satisfying the minimum support is 1. Therefore, the content extracting unit 140 ends the content extraction. After extraction is complete,

,

,

Is removed from the contentSet and finally

May be passed to the rule creation step, which is the next step.

The rule generation unit 150 may generate a rule using the extracted final content.

When Snort rules are created using only the extracted final content information, there is a high possibility of false positives. That is, if the length of the extracted content is too short, the rule can be applied to traffic that is not a detection target.

FIG. 6 shows an example of a rule generated using only content information related to an embodiment of the present invention, and FIG. 7 shows an example of a rule generated using content information and additional information related to an embodiment of the present invention .

As shown in FIG. 6 and FIG. 7, there is a large difference between rules using only content information and rules not using content information. The example of FIG. 6 examines the entire packet payload and checks whether the corresponding content exists. However, FIG. 7 uses the TCP protocol and checks whether the corresponding content among the packets transmitted using the Destination IP of 111.222.333.0/24 and the port number of 80 exists between the 4th byte and the 20th byte of the payload .

Therefore, the rule generation unit 150 may analyze the additional information such as the location information of the content and the header information, and generate the rule by including the analyzed information in addition to the extracted final content (S250). By including the additional information analyzed as described above in the rule, it is possible to reduce the probability of false positives of the rule and reduce the payload inspection amount with relatively high performance overhead, so that the performance of the traffic detection system can be improved.

The rule generation unit 150 may use the packet data generated in the traffic collection step to analyze the location information of the extracted content. Because Snort operates on a packet-by-packet basis, the location of the content should be analyzed to the location in the actual packet payload, not the sequence.

Figure 8 shows a content location analysis algorithm in accordance with an embodiment of the present invention.

The algorithm of FIG. 8 shows a process of analyzing the location information of content when a content and a packetSet are given. The output offset of the algorithm of FIG. 8 means the minimum byte position of the matching start position when the corresponding content matches the packet of the packet set, and the depth means the maximum byte position of the matching end position. That is, when the corresponding content is matched to the packet, it means that it is matched only between the offset and the depth of the payload.

Referring to FIG. 8, the rule generator 150 initializes the initial offset to the maximum size of the packet and the depth to 0 (Algorithm Line 1 to 2 in FIG. 8). The rule generator 150 then traverses all packets in the packet set and adjusts the offset and depth. The rule generation unit 150 checks whether the received content and the packet are matched with each other. If the match is found, the rule generation unit 150 obtains the start byte position and compares it with the current offset. If the value is smaller than the current offset, the rule generator 150 changes the value to the current offset. In the case of depth, if the end byte position is obtained and is greater than the current depth, the rule generator 150 changes the value to the current depth (Algorithm Line 4-6 in FIG. 8).

The rule generation unit 150 adds the finally determined offset and depth values to the content rule.

The rule generation unit 150 may perform a process similar to the location information analysis step described above in order to analyze the header information of the extracted content. The rule generation unit 150 circulates all the packets of the packet set and confirms whether the content matches with the corresponding content. If the packet is matched, the rule generator 150 stores header information of the packet. After checking all the packets, if the stored header information has one unique value, the rule generator 150 adds the header information to the content rule. The rule generation unit 150 repeats CIDR values in the order of 32, 24, and 16 in the case of IP until a unique value is extracted. That is, the rule generator 150 tries to find a unique value in the D class IP having the CIDR value of 32, and if not, the CIDR value is set to 24 to find the C class IP. For example, if the Destination IP to which the corresponding content matches is extracted as "111.222.333.1/32" and "111.222.333.2/32" with CIDR 32, the CIDR is set to 24 and "111.222.333.0/24" is extracted. The rule generation unit 150 can extract "any" if it can not extract a unique IP even when CIDR 16 is applied.

The rule generation unit 150 may use a corresponding value when a unique value is extracted in the case of a port and extract it as an "any "

When the rule is generated by adding additional information such as the location information of the content, the header information, and the like, the generated rule may be stored in the storage unit 160 and transmitted to the external (individual or group) (S260).

The generated rules can be used as follows.

First, it can be distributed periodically to the subscriber who paid the generated certain amount. Actually, www.snort.org also provides the latest rules for individuals and organizations paying a certain amount. Second, you can run a website that provides automatic rule generation services. It is possible to provide a service that can automatically generate rules from the traffic data uploaded by the user and confirm the generated results in real time. Finally, it is possible to install this system and provide maintenance service to a network equipment development company that wants to utilize this system.

FIG. 9 shows an example of the snort content rule generated through the automatic rule generation method according to an embodiment of the present invention.

An example of the rule shown is a rule generated by collecting traffic generated when a typical Internet application or service is selected and the application is used.

As described above, the automatic rule generation method and apparatus for detecting network traffic according to an embodiment of the present invention can automatically generate network traffic detection rules automatically without depending on the manual operation of the administrator.

According to an embodiment of the present invention, a network traffic detection rule can be generated without a preprocessor or a post-process.

The automatic rule generation method described above can be implemented in the form of a program command that can be executed through various computer means and recorded in a computer-readable recording medium. At this time, the computer-readable recording medium may include program commands, data files, data structures, and the like, alone or in combination. On the other hand, the program instructions recorded on the recording medium may be those specially designed and configured for the present invention or may be available to those skilled in the art of computer software.

The computer-readable recording medium includes a magnetic recording medium such as a magnetic medium such as a hard disk, a floppy disk and a magnetic tape, an optical medium such as a CD-ROM and a DVD, a magnetic disk such as a floppy disk, A magneto-optical media, and a hardware device specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like.

The recording medium may be a transmission medium such as a light or metal line, a wave guide, or the like including a carrier wave for transmitting a signal designating a program command, a data structure, and the like.

The program instructions also include machine language code, such as those generated by the compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

The above-described automatic rule generation method and apparatus are not limited to the configuration and method of the above-described embodiments, but the embodiments may be modified so that all or some of the embodiments are selectively And may be configured in combination.

100: Automatic rule generator
110: collecting section
120:
130:
140:
150:
160:
170:
180:

Claims (10)

Collecting traffic including a packet;
Grouping a plurality of packets included in the traffic to form a flow;
Extracting an identifier and a payload in the flow to construct a sequence; And
A content set of length k-1 (

), A content set having a length k (" k "

), And extracting candidate content, wherein k is a natural number greater than or equal to 2, and a content set (L ₁ ) of length ₁ is extracted from the configured sequence;
Extracting a final content by considering the inclusion relation between the candidate contents; And
And generating a rule by using the extracted final content. The method of claim 1, wherein the candidate content extracting step
The content set having the length k-1 (

And deleting the content that does not satisfy the set minimum support level. 3. The method of claim 2,
Wherein the calculation is performed based on any one of a host, a file, and a flow. 3. The method of claim 2, wherein the candidate content extraction step
A content set of length k-1 (

) Length k-2 excluding the first character Content length excluding k-2 content and last character Content set with the same content (

≪ / RTI > using a combination of the content belonging to the first rule. 3. The method of claim 2,
Using at least one of header information of a packet matched with the extracted final content and location information of the final content. A collection unit for collecting traffic including packets;
A flow configuring unit for grouping a plurality of packets included in the traffic to form a flow;
A sequence constructing unit for extracting an identifier and a payload from the flow to construct a sequence; And
A content set of length k-1 (

), A content set having a length k (" k "

A content extracting unit for extracting a candidate content from the candidate content and extracting the length as a final content in consideration of a content relation between the candidate content, wherein the k is a natural number of 2 or more, and the content set (L ₁ ) Extracted from the configured sequence;
A rule generator for generating a rule using the extracted final content;
And a control unit for controlling the collecting unit, the flow generating unit, the sequence generating unit, the content extracting unit, and the rule generating unit. 7. The apparatus of claim 6, wherein the content extractor
The content set having the length k-1 (

And deletes the content that does not satisfy the set minimum support. 8. The method of claim 7,
A rule, a host, a file, and a flow. 8. The apparatus of claim 7, wherein the content extracting unit
A content set of length k-1 (

) Length k-2 excluding the first character Content length excluding k-2 content and last character Content set with the same content (

) Is a combination of the contents belonging to the automatic rule generating unit. 8. The apparatus of claim 7, wherein the rule generator
Wherein header information of a packet matched with the extracted final content and location information of the final content are used.

Images