KR20130116418A - Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol - Google Patents
Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol Download PDFInfo
- Publication number
- KR20130116418A KR20130116418A KR1020120026384A KR20120026384A KR20130116418A KR 20130116418 A KR20130116418 A KR 20130116418A KR 1020120026384 A KR1020120026384 A KR 1020120026384A KR 20120026384 A KR20120026384 A KR 20120026384A KR 20130116418 A KR20130116418 A KR 20130116418A
- Authority
- KR
- South Korea
- Prior art keywords
- reputation
- information
- signature
- false positive
- packet
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Mathematical Analysis (AREA)
- General Physics & Mathematics (AREA)
- Algebra (AREA)
- Physics & Mathematics (AREA)
- Pure & Applied Mathematics (AREA)
- Probability & Statistics with Applications (AREA)
- Human Computer Interaction (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
The present invention relates to an IP reputation analysis apparatus, a method and a computer-readable recording medium, and more particularly, to an IP reputation analysis apparatus for analyzing the reputation of the IP transmitting the packet through the risk analysis of each packet transmitted on the network, A method and a computer readable recording medium.
In general, the Internet is an open network configured to freely connect and use a common protocol called TCP / IP to a remote computer to be accessed anywhere in the world and to anyone. It is an open network that not only transmits basic character information but also develops compression technology, And various services such as e-mail, file transfer, and World Wide Web (WWW), which are used for delivering the service, can be used.
As the use of the Internet has rapidly increased in Korea and the world, the importance of the Internet has been rapidly increasing as a strategic tool for improving efficiency and productivity throughout the existing industries. As a result, new business opportunities through the Internet have been continuously created , And the number of Internet service providers is also increasing.
On the other hand, as an element that hinders the communication environment through the Internet, an attack is made to attack desired information by using a malicious program to attack a specific target computer connected to the Internet.
A malicious program is a malicious code written for malicious purposes. It is also called malware, malicious code. It is also called a malicious code, ), Worm virus (Trojan Horse), and the like.
In addition, spyware, similar to malicious programs, is software that infiltrates another person's computer and extracts important personal information. In recent years, it has been developed to find out user names, IP addresses, favorite URLs, personal IDs and passwords. It is becoming a problem because there are many possibilities to be used maliciously. The main symptoms caused by such malicious programs are network traffic, system performance degradation, file deletion, e - mail sending, personal information leakage, remote control, etc. In addition, most malicious programs are applied various analysis disruption techniques so that the intention and behavior of the malicious program can not be easily noticed even if the malicious program is analyzed by security experts.
For example, a typical malicious program (eg, malware) detection procedure scans malware based on a signature as an example, and performs a corresponding malware processing process when malware is detected.
The signature-based malware diagnosis method is a method of collecting and diagnosing virus samples. In other words, when new computer viruses come into play, antivirus vendors have to figure out how to collect, diagnose and treat these samples and add them to the antivirus database. This method is referred to as a reactive method, and the sign of the virus is referred to as a 'signature'.
As described above, the conventional malicious program detection method generates a signature through expert analysis of previously discovered malicious programs, and when the same malicious program is used based on the generated signature, most of the detected malicious programs are very similar to malignant malicious programs Malicious programs that do not have exactly the same signature as the malicious program have limitations in that they can not be detected, and there is a problem that it is impossible to detect and cope with unknown malicious programs immediately.
On the other hand, as a technique for detecting such malicious programs or malicious sites, Korean Patent Registration No. 10-1044274 entitled "A malicious site detection apparatus, a method and a recording medium on which a computer program is recorded (AhnLab, A method of determining whether the current site is a dangerous site or a process that is currently running on the computer is abnormal by checking whether the certificate is included in the process at the time of executing the process of the program that is down at the site and whether the stack structure is normal .
However, the symptom and the spreading method due to the malicious program are gradually becoming complicated and intelligent, and there is a limitation in that such conventional antivirus program can not diagnose and treat various malicious programs.
On the other hand, in order to detect malicious programs or malicious sites faster, accurate identification of attacker and victim IPs is required for the attack log, and information for determining a fast noon detection on the attack log is required.
Therefore, there is a need to determine whether or not the IP risk by the past detection record, and the situation is required to determine the noon detection of the fast and accurate attack log.
SUMMARY OF THE INVENTION An object of the present invention is to provide an IP reputation analysis apparatus, method and computer readable recording medium which provide reliable identification of an attacker and a target and accurate determination of attack noon detection when an event occurs by maintaining reliable IP reputation information for each IP on a network. In providing.
Another object of the present invention is to provide an IP reputation analysis apparatus, method and computer readable recording medium capable of maintaining reliable IP reputation information for each IP on a network and providing the information in association with trusted external IP reputation information. In providing.
In addition, another object of the present invention is to maintain reliable IP reputation information for each IP on the network, IP reputation analysis apparatus, method and computer reading that allows the user to enter the IP address reputation and collection of information when the IP input It is to provide a possible recording medium.
In order to achieve the above-described object of the present invention and to achieve the specific effects of the present invention described below, the characteristic structure of the present invention is as follows.
According to an aspect of the present invention, an IP reputation analysis apparatus includes: a signature information database for quantifying each of a plurality of signatures suspected of an attack through a network and mapping and storing a preset risk and false positive rate; A packet collecting unit collecting each packet transmitted on the network; A signature analysis unit analyzing each packet collected by the packet collection unit and analyzing whether there is a code corresponding to a specific signature previously stored in a database; When a code corresponding to a specific signature is found as a result of the analysis of the signature analyzer, the risk and false positive rate information preset for the found signature is read from the signature information database, and the read through the detected risk and false positive rate information. A reputation score calculator for calculating a reputation score; And an analysis result storage unit for storing the reputation score calculated by the reputation score calculator together with the IP information of the packet in a reputation information database.
Preferably, the reputation score calculator, the reputation score is calculated so as to be proportional to the risk and false positive rate, respectively.
Preferably, the reputation score calculator,
It calculates by the following formula.Preferably, the apparatus further includes an external reputation information collecting unit for collecting external reputation information through an external reputation information providing server and storing the collected reputation information in the reputation information database.
Preferably, the apparatus further includes an information update unit for collecting and updating the risk and false positive rate information for a particular signature stored in the signature information database.
Preferably, the apparatus further includes an information request processing unit that generates and provides the reputation information stored in the reputation information database upon request of specific reputation information from the IP reputation analysis apparatus.
Preferably, the device transmits the reputation information stored in the reputation information database to the user terminal periodically, aperiodically or at the request of the user terminal.
According to another aspect of the present invention, the IP reputation analysis method is an IP reputation analysis method by an IP reputation analysis apparatus, and quantifies each of a plurality of signatures suspected of an attack through a network to map a predetermined risk and false positive rate. Storing in the signature information database; Collecting each packet transmitted on the network in a packet collecting unit; Analyzing each packet collected by the packet collector in a signature analyzer to determine whether there is a code corresponding to a specific signature stored in a database in advance; When a code corresponding to a specific signature is found as a result of the analysis of the signature analyzer, the risk score and false positive rate information, which is preset in the reputation score calculator, is read from the signature information database, and the read risk and Calculating a reputation score through false positive rate information; And storing the reputation score calculated by the reputation score calculation unit in an analysis result storage unit together with the IP information of the packet in a reputation information database.
The information for receiving the IP reputation analysis method may be stored in a recording medium readable by a server computer. Such a recording medium includes all kinds of recording media in which programs and data are stored so that they can be read by a computer system. Examples include ROMs (Read Only Memory), Random Access Memory, CD (Compact Disk), DVD (Digital Video Disk) -ROM, magnetic tape, floppy disk, optical data storage device, (For example, transmission over the Internet). Such a recording medium may also be distributed over a networked computer system so that computer readable code in a distributed manner can be stored and executed.
As described above, according to the present invention, it is possible to determine whether the IP risk based on past detection records by digitizing the IP reputation analysis result, and it is possible to immediately identify the attacker and determine the attack according to the security policy.
In addition, according to the present invention, by maintaining the external IP reputation information and the internally measured IP reputation information, it is possible to accurately identify the attacker and the target of the attack when an event occurs and to determine the early attack noon detection.
In addition, according to the present invention, by measuring the reputation score for each site, there is an advantage that can determine the security level of each site and establish a security policy.
1 is a diagram showing the configuration of an IP reputation analysis system according to an embodiment of the present invention.
2 is a block diagram showing a detailed structure of an IP reputation analysis apparatus according to an embodiment of the present invention.
3 is a flowchart illustrating an analysis procedure using an IP reputation analysis apparatus according to an embodiment of the present invention.
4 and 5 are diagrams showing a reputation value and a graph inquiry screen for a specific IP according to an embodiment of the present invention.
6 is a view showing a log query screen for a specific attack and IP according to an embodiment of the present invention.
FIG. 7 is a diagram illustrating a numerical and graph inquiry screen for each attack type for a specific IP according to an embodiment of the present invention. FIG.
8 is a diagram illustrating a log inquiry screen for a specific attack according to an embodiment of the present invention.
9 is a diagram illustrating a log inquiry screen for each attack type for a specific IP according to an embodiment of the present invention.
10 is a diagram illustrating a DB information management screen of a TMS to interwork with according to an embodiment of the present invention.
DETAILED DESCRIPTION OF THE INVENTION The following detailed description of the invention refers to the accompanying drawings that show, by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It should be understood that the various embodiments of the present invention are different, but need not be mutually exclusive. For example, certain features, structures, and characteristics described herein may be implemented in other embodiments without departing from the spirit and scope of the invention in connection with an embodiment. It is also to be understood that the position or arrangement of the individual components within each disclosed embodiment may be varied without departing from the spirit and scope of the invention. Accordingly, the following detailed description is not to be taken in a limiting sense, and the scope of the present invention is defined only by the appended claims, along with the full range of equivalents to which such claims are entitled. In the drawings, like reference numerals refer to the same or similar functions throughout the several views.
The present invention provides an IP reputation analysis apparatus and method for performing a reputation analysis for the corresponding IP that transmitted the packet by calculating the reputation score by analyzing the risk and false positives (FP) of each packet transmitted on the network Suggest.
In more detail, the present invention is to check through a plurality of signatures of each packet, and when the check result includes a code corresponding to a specific signature, reputation according to the predetermined risk and false positive rate for the signature Perform reputation analysis for each IP by calculating the scores.
On the other hand, the signature applied in the present invention can be applied to any attack on the network that can be represented by the signature, including the attack by the network as well as malware. For example, an attack method such as an attack method on a network using a vulnerability of a product, a network scanning, and a Distributed Denail of Service (DDoS) can be implemented as a signature.
In addition, in the specification of the present invention described below, the term 'malware (malware, malicious software)' is software that is intentionally designed to perform malicious activities, such as destroying the system or leaking information, contrary to the intention and interest of the user, Abbreviation for malicious software, generally translated as "malware." Malware is a broader concept that includes viruses that are characterized by self-replicating and file infections. Many of the so-called non-viral malwares are as destructive and dangerous as viruses. Trojan horses and keyboard input leakers are non-virus malware. In addition, there are remote management programs and various spyware. Although there are no reports of mass dissemination or serious damage to the public, the potential for major accidents is high. In other words, the malware used in the present invention to be described below is a generic name of executable code written for malicious purposes according to the present invention, and is a broad concept including a malicious program, a malicious code, and the like. The malware has various forms and may be classified into a virus, a worm virus, a Trojan horse, and the like, depending on the self-replicating ability and the presence or absence of an infection target. In addition, spyware, similar to malicious programs, is software that infiltrates another person's computer and extracts important personal information. In recent years, it has been developed to find out user names, IP addresses, favorite URLs, personal IDs and passwords. It is becoming a problem because there are many possibilities to be used maliciously. Thus, the present invention can be applied to the detection and diagnosis of code written for any malicious purpose, including such spyware, adware, tracking code, and the like.
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily carry out the present invention.
The concept of IP reputation analysis is as follows.
First, the concept of malware detection using a network according to the present invention will be described.
Various application programs are executed in the client terminal, and at least one process according to the execution of the corresponding application program is executed. For example,
At this time, by analyzing the packets transmitted and received between the client terminal and the server detects whether the packet is malware infection. For example, the IP reputation analysis apparatus operating in real time diagnoses malware infection of each executed process and diagnoses malware infection of the corresponding process through malware signature information stored in a previously stored malware signature DB.
If it is determined that the process is infected with malware based on the diagnosis of malware infection by the signature analyzer, the network access information (eg, an Internet Protocol (IP) address) of the infected malware is extracted. At this time, in order to calculate the reputation score for the IP according to the present invention, the risk and false positive rate corresponding to the signature are checked. That is, the reputation score for the corresponding IP is calculated from the risk and the false positive rate corresponding to the detected signature.
Meanwhile, the network access information (i.e., IP address) extraction method can be implemented in various ways. In other words, when network traffic is collected, IP can be extracted from the packet in various ways.
For example, the network information can be obtained by running an application for obtaining network information at the user level, and driving a hooking driver that hooks a function of the TCP / IP driver at the kernel level, and calling the network information obtaining function by the application. have. In this case, when the IP reputation analyzer is a Windows OS-based system, a function used to obtain network information may be a 'GetTcpTable' or 'GetExtendedTcpTable' function. The 'GetTcpPTable' function is a function for obtaining IP / Port network session information of Local / Remote, and the 'GetExtendedTcpTable' function is a function for obtaining IP / port of Local / Remote and process ID information owning the session. . The extracted network access information may be mapped and stored together with the calculated reputation analysis information in a database, and then used in a security policy of each user terminal.
Hereinafter, a system and apparatus according to an embodiment of the present invention will be described with reference to FIGS. 1 and 2.
The IP reputation analysis system is as follows.
1 is a diagram showing the configuration of an IP reputation analysis system according to an embodiment of the present invention. Referring to FIG. 1, a system according to the present invention includes a
First, the IP
The external reputation
The
The
Meanwhile, the
The IP
The
The
The
The IP reputation analyzer is as follows.
2 is a block diagram showing a detailed structure of an IP reputation analysis apparatus according to an embodiment of the present invention. Referring to FIG. 2, the
The
The
For example, the
That is, as shown in Table 1, risks and false positive rates are mapped and stored for a plurality of signatures, and the signature information may be continuously added, deleted, or updated. In addition, the risk and false positive rate for a particular signature can also be modified. For example, the
On the other hand, Table 1 is an example to help the understanding of the present invention, various kinds of signatures may be included. In addition, the risk and false positive rate is shown in the
In Table 1, the risk level for each signature is set to 1 to 5, which means that the higher the risk value, the higher the risk of malware. At this time, for example, the risk level for each signature may be set based on the criteria as shown in Table 2 below.
In addition, the false positive rate can be set according to the criteria shown in Table 3 below.
In Table 3, the higher the false positive rate value, the lower the probability of false positive detection.
In the
The reputation score calculation method can be implemented by various methods, and preferably calculated to be proportional to the risk and false positive rate, respectively. For example, it may be calculated by the same method as in <
That is, in the above example, since the risk and false positive rate have values in the range of 1 to 5, respectively, according to
As described above, when the reputation
The external reputation
Meanwhile, when the
The TMS
Hereinafter, a procedure performed in the IP reputation analysis apparatus will be described in detail with reference to FIG. 3.
The IP reputation analysis procedure is as follows.
3 is a flowchart illustrating an analysis procedure using an IP reputation analysis apparatus according to an embodiment of the present invention. Referring to FIG. 3, first, a risk level and a false positive rate for each signature are set (S301) and stored in a database.
Then, the packet data on the network is collected (S302), and for each packet collected, it is checked whether a code corresponding to the signature stored in the database exists (S303). If a signature detected as a result of the inspection exists (S304), the risk and the false positive rate mapped to the detected signature are searched from the database (S305). The reputation score is calculated using the detected risk and false positive rate for the corresponding signature (S306), and the calculation result is mapped to the IP address information of the corresponding packet and stored in the database (S307).
Meanwhile, the embodiments according to the present invention may be embodied in the form of program instructions that may be executed by various computer means and may be recorded in a computer readable medium. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as a hard disk, a floppy disk, and a magnetic tape; optical media such as CD-ROM and DVD; magnetic recording media such as a floppy disk; Includes hardware devices specifically configured to store and perform program instructions such as megneto-optical media and ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.
Examples are as follows.
4 and 5 are diagrams showing a reputation value and a graph inquiry screen for a specific IP according to an embodiment of the present invention. 4 and 5, a reputation score calculated for a specific IP for a period set by a user may be provided in the form of a graph or table, and the attack corresponding to the IP is performed because the reputation analysis is performed according to a signature. You can also provide reputation scores by type. In addition, an average of reputation scores may be calculated and provided during the period.
6 is a view showing a log query screen for a specific attack and IP according to an embodiment of the present invention. Referring to FIG. 6, it is possible to provide log records of IPs and specific attacks set up during a specific period. In addition, as shown in FIG. 7, a reputation score and a graph inquiry screen for each attack type for a specific IP may be provided.
8 is a view showing a log query screen for a specific attack according to an embodiment of the present invention, Figure 9 is a view showing a log query screen for each attack type for a specific IP according to an embodiment of the present invention.
10 is a diagram illustrating a DB information management screen of a TMS to interwork with according to an embodiment of the present invention. Referring to FIG. 10, a management menu may be provided so that a user may easily manage database information of an interworking TMS.
As described above, the present invention has been described by specific embodiments such as specific components and the like. For those skilled in the art, various modifications and variations are possible from these descriptions.
Accordingly, the spirit of the present invention should not be construed as being limited to the embodiments described, and all of the equivalents or equivalents of the claims, as well as the following claims, belong to the scope of the present invention .
100: user terminal 110: Internet network
120, 150: IP reputation analyzer 121: switch
122: router 130: external reputation information providing server
140: malicious domain server 151: TMS
152: TAP 160: Router
161: firewall 162: switch
163: company intranet 210: packet collection unit
220: signature analysis unit 230: reputation score calculation unit
240: analysis result storage unit 250: external reputation information collection unit
260: information update unit 270: information request processing unit
281: Signature Information Database
282: TMS log information database
283: Reputation Information Database
Claims (15)
A packet collecting unit collecting each packet transmitted on the network;
A signature analysis unit analyzing each packet collected by the packet collection unit and analyzing whether there is a code corresponding to a specific signature previously stored in a database;
When a code corresponding to a specific signature is found as a result of the analysis of the signature analyzer, the risk and false positive rate information preset for the found signature is read from the signature information database, and the read through the detected risk and false positive rate information. A reputation score calculator for calculating a reputation score; And
And an analysis result storage unit for storing the reputation score calculated by the reputation score calculator together with the IP information of the packet in a reputation information database.
And calculate the reputation score to be proportional to the risk and false positive rate, respectively.
An IP reputation analyzer, calculated by the following equation.
And an external reputation information collecting unit configured to collect external reputation information through an external reputation information providing server and store the collected reputation information in the reputation information database.
And an information update unit for collecting and updating risk and false positive rate information on a specific signature stored in the signature information database.
And requesting specific reputation information from the IP reputation analysis apparatus, further comprising: an information request processor configured to generate and provide the request according to a form for requesting reputation information stored in the reputation information database.
And transmit the reputation information stored in the reputation information database to the user terminal periodically, aperiodically, or at the request of the user terminal.
Digitizing each of the plurality of signatures suspected of an attack through the network, and mapping a predetermined risk and false positive rate to a signature information database;
Collecting each packet transmitted on the network in a packet collecting unit;
Analyzing each packet collected by the packet collector in a signature analyzer to determine whether there is a code corresponding to a specific signature stored in a database in advance;
When a code corresponding to a specific signature is found as a result of the analysis of the signature analyzer, the risk score and false positive rate information, which is preset in the reputation score calculator, is read from the signature information database, and the read risk and Calculating a reputation score through false positive rate information; And
And storing the reputation score calculated by the reputation score calculation unit in an analysis result storage unit together with the IP information of the packet in a reputation information database.
And calculating the reputation score to be proportional to the risk and the false positive rate, respectively.
The IP reputation analysis method computed by the following formula.
And collecting external reputation information from an external reputation information collecting unit through an external reputation information providing server and storing the collected reputation information in the reputation information database.
And collecting and updating risk and false positive rate information for a specific signature stored in the signature information database in an information update unit.
When the information request processing unit requests specific reputation information to the IP reputation analysis apparatus, further comprising the step of generating and providing according to the form of requesting the reputation information stored in the reputation information database, IP reputation analysis method.
And transmitting the reputation information stored in the reputation information database to the user terminal periodically, aperiodically or at the request of the user terminal.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120026384A KR20130116418A (en) | 2012-03-15 | 2012-03-15 | Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120026384A KR20130116418A (en) | 2012-03-15 | 2012-03-15 | Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20130116418A true KR20130116418A (en) | 2013-10-24 |
Family
ID=49635475
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020120026384A KR20130116418A (en) | 2012-03-15 | 2012-03-15 | Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20130116418A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016048543A1 (en) * | 2014-09-24 | 2016-03-31 | Mcafee, Inc. | Determining the reputation of data |
WO2016105850A1 (en) * | 2014-12-23 | 2016-06-30 | Mcafee, Inc. | Determining a reputation through network characteristics |
KR20180024524A (en) * | 2016-08-30 | 2018-03-08 | 주식회사 윈스 | Apparatus and method for blocking using reputation analysys |
KR20190048606A (en) * | 2017-10-31 | 2019-05-09 | 대한민국(국방부 공군참모총장) | Realtime Web Attack Detection Method |
KR20210022213A (en) * | 2019-08-19 | 2021-03-03 | 한국전자통신연구원 | Apparatus for extracting certificate reputation score and operating method thereof |
-
2012
- 2012-03-15 KR KR1020120026384A patent/KR20130116418A/en not_active Application Discontinuation
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016048543A1 (en) * | 2014-09-24 | 2016-03-31 | Mcafee, Inc. | Determining the reputation of data |
US10462156B2 (en) | 2014-09-24 | 2019-10-29 | Mcafee, Llc | Determining a reputation of data using a data visa |
US11627145B2 (en) | 2014-09-24 | 2023-04-11 | Mcafee, Llc | Determining a reputation of data using a data visa including information indicating a reputation |
WO2016105850A1 (en) * | 2014-12-23 | 2016-06-30 | Mcafee, Inc. | Determining a reputation through network characteristics |
US9769186B2 (en) | 2014-12-23 | 2017-09-19 | Mcafee, Inc. | Determining a reputation through network characteristics |
KR20180024524A (en) * | 2016-08-30 | 2018-03-08 | 주식회사 윈스 | Apparatus and method for blocking using reputation analysys |
KR20190048606A (en) * | 2017-10-31 | 2019-05-09 | 대한민국(국방부 공군참모총장) | Realtime Web Attack Detection Method |
KR20210022213A (en) * | 2019-08-19 | 2021-03-03 | 한국전자통신연구원 | Apparatus for extracting certificate reputation score and operating method thereof |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6894003B2 (en) | Defense against APT attacks | |
US9769200B2 (en) | Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation | |
US8683585B1 (en) | Using file reputations to identify malicious file sources in real time | |
US9306964B2 (en) | Using trust profiles for network breach detection | |
US10721244B2 (en) | Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program | |
US9065845B1 (en) | Detecting misuse of trusted seals | |
US8516573B1 (en) | Method and apparatus for port scan detection in a network | |
US8677493B2 (en) | Dynamic cleaning for malware using cloud technology | |
US11882137B2 (en) | Network security blacklist derived from honeypot statistics | |
US7720965B2 (en) | Client health validation using historical data | |
JP2018530066A (en) | Security incident detection due to unreliable security events | |
US20060259967A1 (en) | Proactively protecting computers in a networking environment from malware | |
JP5920169B2 (en) | Unauthorized connection detection method, network monitoring apparatus and program | |
WO2018099206A1 (en) | Apt detection method, system, and device | |
JP2015121968A (en) | Log analyzer, log analysis method, and log analysis program | |
Zhang et al. | User intention-based traffic dependence analysis for anomaly detection | |
JP2012064208A (en) | Network virus prevention method and system | |
CN116860489A (en) | System and method for threat risk scoring of security threats | |
Jiang et al. | Novel intrusion prediction mechanism based on honeypot log similarity | |
KR20130116418A (en) | Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol | |
Kim et al. | Agent-based honeynet framework for protecting servers in campus networks | |
US10462158B2 (en) | URL selection method, URL selection system, URL selection device, and URL selection program | |
KR101398740B1 (en) | System, method and computer readable recording medium for detecting a malicious domain | |
Wu et al. | A novel approach to trojan horse detection by process tracing | |
CN108965277B (en) | DNS (Domain name System) -based infected host distribution monitoring method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
N231 | Notification of change of applicant | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application |