KR101812732B1 - Security device and operating method thereof - Google Patents

Security device and operating method thereof Download PDF

Info

Publication number
KR101812732B1
KR101812732B1 KR1020150190183A KR20150190183A KR101812732B1 KR 101812732 B1 KR101812732 B1 KR 101812732B1 KR 1020150190183 A KR1020150190183 A KR 1020150190183A KR 20150190183 A KR20150190183 A KR 20150190183A KR 101812732 B1 KR101812732 B1 KR 101812732B1
Authority
KR
South Korea
Prior art keywords
host
attack
hosts
arbitrary
category
Prior art date
Application number
KR1020150190183A
Other languages
Korean (ko)
Other versions
KR20170079511A (en
Inventor
서연식
Original Assignee
주식회사 시큐아이
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 시큐아이 filed Critical 주식회사 시큐아이
Priority to KR1020150190183A priority Critical patent/KR101812732B1/en
Publication of KR20170079511A publication Critical patent/KR20170079511A/en
Application granted granted Critical
Publication of KR101812732B1 publication Critical patent/KR101812732B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network

Abstract

A method of operating a security device that records a log history of packet transmission and reception between hosts includes the steps of defining attack step categories using the past log history of the hosts, Determining the attack intention of each of the hosts in accordance with the matching result, and controlling the packet transmission / reception between the hosts in accordance with the determination result.

Description

[0001] SECURITY DEVICE AND OPERATING METHOD THEREOF [0002]

An embodiment according to the concept of the present invention relates to a security device and a method of operation thereof.

Along with the development of information and communication technology, various hacking technologies have become common so that anyone can be abused, and hacking damage is increasing exponentially. Hackers are spreading malicious code to personal PCs, public institution servers, etc. using widely connected Internet networks.

When an Internet user surfs the Internet and the web page contains malicious code, the user's PC may be automatically infected with malicious code. PCs infected with malicious code become zombie PCs and can be used for DDOS (Distributed Denial of Service (DDOS)) attacks.

In order to prevent such damage, organizations that require network security such as general corporations and public institutions are trying to prevent hacking damage by installing malicious code detection programs. However, these existing methods are only a passive way to protect PCs already infected with malicious code.

SUMMARY OF THE INVENTION The present invention is directed to a security device for analyzing past log history of packet transmission / reception between external hosts and internal hosts to grasp attack intentions of attackers and provide a countermeasure method thereof, and an operation method thereof .

It is another object of the present invention to provide a security device and an operation method thereof that can effectively prevent an attacker from attacking an infinite attack method by grasping an attack intention of an attacker.

It is another object of the present invention to provide a security device and a method of operating the security device,

A method of operating a security device for recording a log history of packet transmission / reception between hosts according to an embodiment of the present invention includes: defining attack step categories using past log history of the hosts; Determining a degree of attack of each of the hosts in accordance with a matching result, controlling the packet transmission / reception between the hosts in accordance with the determination result, .

According to an embodiment, the defining step may define the past log history as a first attack step category if the past log history includes content for searching an accessible IP port of the target host.

According to an embodiment of the present invention, when the current log history of one of the hosts is matched with the first attack step category more than a predetermined number of times, the determining may determine that the host has the attack intention have.

According to an embodiment, the controlling step may determine any one of the hosts as an attacker and block transmission / reception of a packet between the target host and the host.

According to an embodiment, the defining step may define the past log history as a second attack step category if the past log history includes a content for searching for a vulnerability of the target host.

According to an embodiment of the present invention, the determining may determine that one of the hosts has an attack intention if the current log history of one of the hosts matches the second attack step category.

According to an embodiment, the controlling step may determine any one of the hosts as an attacker and block transmission / reception of a packet between the target host and the host.

According to an embodiment, the defining step may define the past log history as a third attack step category, when the past log history includes content to acquire the root authority of the target host.

According to an embodiment, the determining step may determine that the host has an attack intention if the current log history of one of the hosts matches the third attack step category.

According to an embodiment of the present invention, the controlling step may determine the target host as a zombie host, block packet transmission / reception between the target host and the host, or isolate the target host from the network.

A security device according to another embodiment of the present invention includes a log history generation module for recording a log history of packet transmission / reception between hosts, a category generation module for defining attack step categories using the past log history between the hosts, And a control module 110 for matching the current log history between the hosts with each of the attacking step categories and grasping the attack intention of each of the hosts according to the matching result.

According to the embodiment, the category generation module may classify the attack method of the attacker step by step based on the past log history, and define the attack step categories corresponding to each step.

The security apparatus according to an embodiment of the present invention analyzes a past log history of packet transmission / reception between external hosts and internal hosts to grasp the attack intentions of the attacker, and provides a countermeasure method corresponding to the attack intent of the attacker The attacker's attack can be disabled.

In addition, since the security device according to the embodiment of the present invention grasps attack intentions of the attacker and performs a countermeasure method, it is possible to effectively block an attack by an attacker without having to provide any defense against an infinite attack method.

In addition, since the security device according to the embodiment of the present invention performs an attack step-by-step countermeasure against an attacker, the possibility of false positives can be reduced.

Figure 1 shows a schematic block diagram of a security system according to an embodiment of the present invention.
Figure 2 shows a schematic block diagram of the security device shown in Figure 1;
FIG. 3 is a conceptual diagram for explaining a method by which a security device according to an embodiment of the present invention determines an attack intention of an attacker.
4 is a flowchart illustrating an operation method of a security apparatus according to an embodiment of the present invention.

It is to be understood that the specific structural or functional description of embodiments of the present invention disclosed herein is for illustrative purposes only and is not intended to limit the scope of the inventive concept But may be embodied in many different forms and is not limited to the embodiments set forth herein.

The embodiments according to the concept of the present invention can make various changes and can take various forms, so that the embodiments are illustrated in the drawings and described in detail herein. It should be understood, however, that it is not intended to limit the embodiments according to the concepts of the present invention to the particular forms disclosed, but includes all modifications, equivalents, or alternatives falling within the spirit and scope of the invention.

The terms first, second, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms may be named for the purpose of distinguishing one element from another, for example, without departing from the scope of the right according to the concept of the present invention, the first element may be referred to as a second element, The component may also be referred to as a first component.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between. Other expressions that describe the relationship between components, such as "between" and "between" or "neighboring to" and "directly adjacent to" should be interpreted as well.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, the terms "comprises" or "having" and the like are used to specify that there are features, numbers, steps, operations, elements, parts or combinations thereof described herein, But do not preclude the presence or addition of one or more other features, integers, steps, operations, components, parts, or combinations thereof.

Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the meaning of the context in the relevant art and, unless explicitly defined herein, are to be interpreted as ideal or overly formal Do not.

As used herein, a module may refer to a functional or structural combination of hardware to perform the method according to an embodiment of the present invention or software that can drive the hardware. Accordingly, the module may refer to a logical unit or a set of hardware resources capable of executing the program code and the program code, and does not necessarily mean a physically connected code or a kind of hardware.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings attached hereto.

FIG. 1 shows a block diagram of a security system according to an embodiment of the present invention, and FIG. 2 shows a schematic block diagram of the security apparatus shown in FIG.

Referring to FIG. 1, a security system 10 according to an embodiment of the present invention includes internal hosts 200, external hosts 300, a security device 100, an internal network 210, an external network 310, , And a security device (100).

The internal hosts 200 are connected to the security device 100 through the internal network 210 and can send and receive packets with the external hosts 300 through the security device 100. [

For example, the internal hosts 200 may be a PC, a smart phone, a tablet PC, a mobile internet device (MID), an internet tablet, an Internet of things (IoT) but are not limited to, any of the above devices, a desktop computer, a laptop computer, a workstation computer, or a personal digital assistant (PDA).

The external hosts 300 are connected to the security device 100 through the external network 310 and can transmit and receive packets with the internal hosts 200 through the security device 100. [

For example, the external hosts 300 may be a domain name system (DNS) server, a network time protocol (NTP) server, a simple service discovery protocol (SSDP) server, a peer to peer (P2P) server, Server, web server, but is not limited to this.

Each of the internal network 210 and the external network 310 may refer to a wired Internet network, a wireless Internet network, or a WiFi network.

The security device 100 may be connected to the internal hosts 200 through the internal network 210 and may be connected to the external hosts 300 through the external network 310. [

For example, the security device 100 may refer to an intrusion prevention system (IPS) or an intrusion detection system (IDS) that collects packets in a network and protects an external attack based on a predetermined packet pattern. However, no.

The security device 100 has a log history of sending and receiving packets between the external hosts 300 and the internal hosts 200 to protect the internal hosts 200 from any attacker connected to the external network 310 log1, log2, ...) can be recorded.

For example, when one of the external hosts 300 requests to send a data packet to one of the internal hosts 200, the security device 100 transmits a request for transferring the data packet to the corresponding host (Log1, log2, ...) together with the identifier IDs (ID1, ID2, ID3, ID4, ...)

That is, the security apparatus 100 sets the external hosts 300 as a target of detection, sets the internal hosts 200 as target targets, and stores a log history of packet transmission / reception between the target of detection and the target target It can record in real time.

The security device 100 may define attack step categories CATE1, CATE2, ..., CATEn using the recorded log history log1, log2, .... Here, the definition of the attack step category means that the security device 100 analyzes the past log history of packet transmission / reception between the external hosts 300 and the internal hosts 200, And the like.

Since the attacker can perform a certain step-by-step attack method to attack the target host, the security device 100 separately classifies the attack method of the attacker in a step-by-step manner, and the attack step categories corresponding to each step (CATE1, CATE2, ... , CATEn) can be defined. The manner in which the security device 100 defines the attack phase categories (CATE1, CATE2, ..., CATEn) will be described in detail with reference to FIG.

The security device 100 matches the current log history LOG for packet transmission and reception between the external hosts 300 and the internal hosts 200 with the attack phase categories CATE1, CATE2, ..., CATEn, The attack intention of each of the attackers 300 can be determined. Here, the current log history (LOG) means the log history recorded for the transmission / reception of the packets between the external hosts 300 and the internal hosts 200.

For example, when the log history recorded so far for any one of the external hosts 300 matches the specific attack level category, the security device 100 determines whether the host is an attack level corresponding to the matched attack level category It can be judged that it has the degree.

The security device 100 can perform a corresponding method corresponding to the intention of the attacker. That is, the security device 100 may perform a corresponding method corresponding to each attack step category (CATE1, CATE2, ..., CATEn).

For example, the security device 100 controls transmission / reception of packets between the internal hosts 200 and the external hosts 300 to protect the internal hosts 200 from any attacker connected to the external network 310 .

That is, the security device 100 blocks downlink packets received from the external hosts 300 through the external network 310 to the security device 100 or receives the downlink packets received from the security device 100 through the internal network 210 It is possible to block the upstream packet.

The security device 100 may isolate certain internal hosts 200 from the internal network 210 to protect the internal hosts 200 from any attacker connected to the external network 310 have. That is, the security device 100 may block an internal host that has been determined to be a zombie host by the attack of an attacker from the internal network 210.

As described above, the security device 100 according to the embodiment of the present invention can analyze the log history of packet transmission / reception between the external hosts 300 and the internal hosts 200 to grasp the attack intentions of the attacker, It is possible to disable the attack of the attacker by performing a corresponding method corresponding to the attack intention of the attacker. Since the security device 100 according to the embodiment of the present invention grasps attack intentions and performs countermeasures, it is possible to effectively block an attack by an attacker without having to provide any defense against infinite attack methods.

2, the security device 100 according to an embodiment of the present invention may include a control module 110, a log history generation module 120, and a category generation module 130.

The log history generation module 120 may record a log history of transmission and reception of packets between the external hosts 300 and the internal hosts 200. [

The category generation module 130 may define attack step categories CATE1, CATE2, ..., CATEn using past log history of packet transmission / reception between the external hosts 300 and the internal hosts 200 .

The control module 110 can match each of the attack log categories LOG and ATTE categories CATE1, CATE2, ..., CATEn for sending and receiving packets between the external hosts 300 and the internal hosts 200 have.

That is, the control module 110 can determine which of the attack step categories the current log history (LOG) of each of the external hosts 300 matches.

The control module 110 can determine the attack intent of each of the external hosts 300 according to the matching result.

For example, if the current log history of one of the external hosts 300 matches a specific attack step category, the control module 110 may have an attack intention corresponding to the attack step category matched by the host It can be judged.

Accordingly, the control module 110 may perform a corresponding method corresponding to the matched attack step category.

For example, the control module 110 may determine that the external hosts 300 do not have an attack intention if the current log history LOG of the external hosts 300 does not match the attack step categories.

FIG. 3 is a conceptual diagram for explaining a method by which a security device according to an embodiment of the present invention determines an attack intention of an attacker.

Referring to FIG. 3, the security device 100 may record a log history of packet transmission / reception between the first host 200 'and the second host 300'.

Here, the first host 200 'is one of the internal hosts 200 that transmits and receives packets to and from the second host 300', and the second host 300 ' One host that transmits and receives packets to and from one host 200 '.

First, the security device 100 analyzes the past log history of packet transmission / reception between the internal hosts 200 and the external hosts 300 to define attack step categories (CATE1, CATE2, CATE3, and CATE4) .

For example, if the past log history includes a search for a connectable IP port of the target host, the security device 100 may define the past log history as a first attack step category (CATE1).

For example, if the past log history includes information for searching for a vulnerability of the target host, the past log history may be defined as a second attack step category (CATE2).

For example, if the past log history includes content for acquiring the root authority of the target host, the security device 100 may define the past log history as a third attack phase category (CATE3).

For example, if the past log history includes contents for transmitting a data file having a high security level of the target host, the past log history may be defined as a fourth attack phase category (CATE4).

The security device 100 transmits the current log history LOG covering log histories (log1, log2, and log3) between the first host 200 'and the second host 300' Can be matched with each of the categories (CATE1, CATE2, CATE3, and CATE4).

For example, if the current log history LOG matches the first attack step category CATE1 more than a predetermined number of times, the security device 100 may determine that the second host 300 ' It can be judged that it has an attack intention corresponding to the step category (CATE1).

That is, the security device 100 determines that the second host 300 'searches for the IP port more than a predetermined number of times to access the first host 200' as a pre-operation for attack, and the second host 300 ' ') And the first host 200'.

For example, if the current log history LOG is matched with the second attack step category CATE2, the second host 300 'transmits an attack corresponding to the second attack step category CATE2 to the first host 200' It can be judged to have intention.

That is, the security device 100 may determine that the second host 300 'intends to search for a vulnerability in order to attack the vulnerability of the first host 200'. However, when the security device 100 confirms the current log history (LOG), the second host 300 'can find the vulnerability of the first host 200'. Accordingly, the security device 100 may block transmission / reception of packets between the first host 200 'and the second host 300' to block the vulnerability attack.

For example, if the current log history LOG is matched with the third attack level category CATE3, the second host 300 'may determine that the attack corresponding to the third attack level category CATE3 It can be judged to have intention.

That is, the security device 100 may determine that the second host 300 'has an attack intention to acquire the root authority of the first host 200'. However, when the security device 100 confirms the current log history LOG, the second host 300 'may have already acquired the root authority of the first host 200'. Accordingly, the security device 100 determines that the first host 200 'is a zombie host, blocks transmission and reception of packets between the first host and the second host 300' And can be isolated in the internal network 210.

For example, if the current log history LOG is matched with the fourth attack step category CATE4, the second host 300 'has an attack intention corresponding to the fourth attack step category (CATE4) .

That is, the security device 100 can determine that the second host 300 'acquires the root authority of the first host 200' and arbitrarily acquires a data file having a high security level. Therefore, in order to prevent further data leakage, the security device 100 may block transmission / reception of packets between the first host 200 'and the second host 300'.

According to an embodiment, the current log history may be matched to at least two or more of the first through fourth attack phase categories (CATE1, CATE2, CATE3, and CATE4).

In this way, the security device 100 can analyze the past log history, generate first to fourth attack step categories (CATE1, CATE2, CATE3, and CATE4) corresponding to each attack step, 1 to 4th attack stage categories CATE1, CATE2, CATE3, and CATE4 to determine the attack intention of the second host 300 '.

Thus, even if the second host 300 'has an intention to attack, the security device 100 can respond to the attacks of the second host 300' in stages and lower the possibility of false positives according to the attack step-by-attack.

Although the first to fourth attack step categories (CATE1, CATE2, CATE3, and CATE4) have been described with reference to FIG. 3, it is to be understood that the present invention is not limited thereto. The security device 100 according to an embodiment of the present invention may define various attack step categories according to an attacking step of an attacker.

4 is a flowchart illustrating an operation method of a security apparatus according to an embodiment of the present invention.

Referring to FIG. 4, the security device 100 may record a past log history of packet transmission / reception between hosts. The security device 100 may define attack step categories using the past log history (S410).

The security device 100 may match each of the current log history of the hosts and the attack step categories (S420).

The security device 100 may determine the attack intent of each host according to the matching result (S430).

The security device 100 may control transmission / reception of packets between hosts in response to the determination result (S440).

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

100: security device
200: Internal host
210: Internal network
300: External host
310: External network

Claims (12)

A method of operating a security device that records log histories for packet transmission and reception between a target host and other hosts,
Defining attack step categories using the log histories with the other hosts;
Matching each of the log histories with the other hosts and each of the attack phase categories;
Determining an attack intention of any one of the hosts based on the matching result when the host is determined to be an attacker; And
And controlling transmission / reception of the packet between the hosts corresponding to the determination result,
The matching step comprises:
Determining whether log histories with arbitrary other hosts include at least a certain number of specific contents corresponding to a definition criterion of each of the attack step categories;
Determining that the arbitrary other host is an attacker if the log histories include at least one of the specific contents a certain number of times or more; And
And determining an attack step category of any other host based on the specific content included over the predetermined number of times if the arbitrary other host is determined to be the attacker,
The attacking step includes:
A first step in which the specific contents are contents to search for a connectable IP port of the target host;
A second step of searching for a specific vulnerability of the target host;
A third step in which the specific content is content to acquire a root authority of the target host; And
And the fourth step is a step of transmitting the data file having the high security level of the target host,
Wherein the controlling comprises:
Blocking the transmission / reception of a packet between the target host and the arbitrary other host when the arbitrary other host matches the attacking step category of the step 3, concurrently determining the target host as a zombie host, A method of operating a security device that isolates it from a network. delete 2. The method according to claim 1,
And determining that the arbitrary other host has the attack intention if the arbitrary other host matches the attack step category of the first stage. 2. The method of claim 1,
And blocking packet transmission / reception between the target host and any other host if the arbitrary other host matches the attack level category of the first stage. delete 2. The method according to claim 1,
And determining that the arbitrary other host has an attack intention if the arbitrary other host matches the attack step category of the second stage. 2. The method of claim 1,
And blocking packet transmission / reception between the target host and any other host if the arbitrary other host matches the attack level category of the second step. delete 2. The method according to claim 1,
And if the arbitrary other host matches the attacking step category of the third step, the arbitrary other host judges that the other host has an attack intention. delete The target host's security device,
A log history generation module for recording log histories of packet transmission / reception between the target host and other hosts;
A category generation module that defines attack step categories using the log histories with the other hosts; And
A step of matching the log histories with the other hosts with each of the attack step categories and, if it is determined that one of the other hosts is an attacker according to the matching result, Modules,
The control module includes:
Determining whether the log histories with arbitrary other hosts include any one of the specific contents corresponding to the definition criterion of each of the attack step categories at least a certain number of times, and if the log histories include at least one of the specific contents Determining that the arbitrary other host is an attacker and, if the arbitrary host is determined to be the attacker, determining an attack step category of the arbitrary other host based on the specific content included over the predetermined number of times ,
The attacking step includes:
A first step in which the specific contents are contents to search for a connectable IP port of the target host;
A second step of searching for a specific vulnerability of the target host;
A third step in which the specific content is content to acquire a root authority of the target host; And
And the fourth step is a step of transmitting the data file having the high security level of the target host,
The control module includes:
Blocking the packet transmission / reception of the target host and the arbitrary other host when the arbitrary other host matches the attacking step category of the step 3, judging the target host as a zombie host at the same time, Security device to isolate from.
delete
KR1020150190183A 2015-12-30 2015-12-30 Security device and operating method thereof KR101812732B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150190183A KR101812732B1 (en) 2015-12-30 2015-12-30 Security device and operating method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150190183A KR101812732B1 (en) 2015-12-30 2015-12-30 Security device and operating method thereof

Publications (2)

Publication Number Publication Date
KR20170079511A KR20170079511A (en) 2017-07-10
KR101812732B1 true KR101812732B1 (en) 2017-12-27

Family

ID=59355867

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150190183A KR101812732B1 (en) 2015-12-30 2015-12-30 Security device and operating method thereof

Country Status (1)

Country Link
KR (1) KR101812732B1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113923039B (en) * 2021-10-20 2023-11-28 北京知道创宇信息技术股份有限公司 Attack equipment identification method and device, electronic equipment and readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100819049B1 (en) * 2006-12-06 2008-04-02 한국전자통신연구원 Apparatus for detecting and analyzing alert of intrusion and method for displaying it by graph in n-dimensions using the same
JP2010152773A (en) * 2008-12-26 2010-07-08 Mitsubishi Electric Corp Attack determination device, and attack determination method and program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100819049B1 (en) * 2006-12-06 2008-04-02 한국전자통신연구원 Apparatus for detecting and analyzing alert of intrusion and method for displaying it by graph in n-dimensions using the same
JP2010152773A (en) * 2008-12-26 2010-07-08 Mitsubishi Electric Corp Attack determination device, and attack determination method and program

Also Published As

Publication number Publication date
KR20170079511A (en) 2017-07-10

Similar Documents

Publication Publication Date Title
US9942270B2 (en) Database deception in directory services
EP2147390B1 (en) Detection of adversaries through collection and correlation of assessments
EP2156361B1 (en) Reduction of false positive reputations through collection of overrides from customer deployments
Sinha et al. Information Security threats and attacks with conceivable counteraction
US11563763B1 (en) Protection against attacks in internet of things networks
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
Kumar et al. Review on security and privacy concerns in Internet of Things
Kumar et al. DDOS prevention in IoT
Bajpai et al. The art of mapping IoT devices in networks
Seo et al. A study on efficient detection of network-based IP spoofing DDoS and malware-infected Systems
Nasser et al. Provably curb man-in-the-middle attack-based ARP spoofing in a local network
CN114301647A (en) Prediction defense method, device and system for vulnerability information in situation awareness
De Donno et al. A taxonomy of distributed denial of service attacks
Bagay Information security of Internet things
Nagesh et al. A survey on denial of service attacks and preclusions
KR101593897B1 (en) Network scan method for circumventing firewall, IDS or IPS
KR101812732B1 (en) Security device and operating method thereof
Erickson et al. No one in the middle: Enabling network access control via transparent attribution
Cao et al. Covert Channels in SDN: Leaking Out Information from Controllers to End Hosts
Patel et al. Security Issues, Attacks and Countermeasures in Layered IoT Ecosystem.
Nayak et al. Depth analysis on DoS & DDoS attacks
Rodrigues et al. Design and implementation of a low-cost low interaction IDS/IPS system using virtual honeypot approach
Everson et al. A Survey on Network Attack Surface Mapping
Gorbatiuk et al. Method of detection of http attacks on a smart home using the algebraic matching method
Kalil Policy Creation and Bootstrapping System for Customer Edge Switching

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
AMND Amendment
E601 Decision to refuse application
AMND Amendment
X701 Decision to grant (after re-examination)
GRNT Written decision to grant