WO2012023657A1 - Procédé de détection de programmes malveillants basé sur un réseau utilisant une machine virtuelle et système le comprenant - Google Patents

Procédé de détection de programmes malveillants basé sur un réseau utilisant une machine virtuelle et système le comprenant Download PDF

Info

Publication number
WO2012023657A1
WO2012023657A1 PCT/KR2010/007133 KR2010007133W WO2012023657A1 WO 2012023657 A1 WO2012023657 A1 WO 2012023657A1 KR 2010007133 W KR2010007133 W KR 2010007133W WO 2012023657 A1 WO2012023657 A1 WO 2012023657A1
Authority
WO
WIPO (PCT)
Prior art keywords
virtual machine
network
file
harmful
traffic
Prior art date
Application number
PCT/KR2010/007133
Other languages
English (en)
Korean (ko)
Inventor
최병호
임철수
Original Assignee
주식회사 이세정보
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 이세정보 filed Critical 주식회사 이세정보
Publication of WO2012023657A1 publication Critical patent/WO2012023657A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Definitions

  • the present invention relates to a network-based malicious program detection method and system using a virtual machine for monitoring the network and the entire individual user terminal at the same time to detect malicious programs on the network.
  • the network security equipment determines whether the malicious code is the only event in the network area. Therefore, in case of excessive traffic, DDos attack, IP / MAC / ARP tampering attack by zombie PC, there is a limit that you cannot directly control the PC or malicious code existing in the network.
  • malicious codes were collected by collecting malicious codes and analyzing these malicious codes by applying them to individual PCs.
  • the existing security devices capture and analyze the information flowing through the network in one direction only, analyze the collected files through simple pattern comparison method without dynamic heuristic function, and do only the traffic based analysis.
  • agent-based security solutions operating on conventional PCs can obtain the pattern information or files of malicious codes at the process level by monitoring the status of individual PCs, but it is difficult to know the status of the entire network and agents. The disadvantage is that all must be installed.
  • the present invention detects and monitors not only traffic and packets on the network, but also zombies operating in the client and worms affecting the network, in conjunction with agents in the client, thereby ensuring organic security between the network and the client.
  • the present invention aims to provide a network-based malicious program detection method using a virtual machine capable of system and a system thereof.
  • the present invention provides a network-based malicious program detection method and system using a virtual machine capable of bidirectional capture of packets flowing through a network and reducing false positive rates when analyzing collected data.
  • the present invention is to provide a network-based malicious program detection method and system using a virtual machine that can prevent the zombie PC and zero-day attack by real-time monitoring and updating the various traffic or files of the network and individual PC.
  • the present invention relates to a method and system for detecting harmful programs on a network by simultaneously monitoring the entire network and individual user terminals.
  • a network-based malicious program detection method using a virtual machine includes: (a) analyzing all data of a network by packet mirroring; (b) filtering and blocking unnecessary packets by the filtering engine; (c) generating statistical data for each IP at which packet transmission and reception occurs; And (d) writes the collected files through a filtering engine to a database and transfers the suspect files to the virtual machine controller, and the virtual machine controller delivers the received suspicious files to one of a plurality of waiting virtual machines. Analyzing at the analyzer; Characterized in that comprises a.
  • the network-based malicious program detection system using a virtual machine includes a mirroring module for mirroring data on the network; A filtering module for blocking unnecessary packets from the packets passing through the mirroring module by filtering the filtering engine; A data generation module for forming statistical data for each IP in which packet transmission and reception occur in a network; A file collection engine for collecting data passing through the filtering engine; A virtual machine controller controlling copying, destroying, and running of the virtual machine, transferring suspicious files among collected files to the virtual machine, and transferring suspicious file analysis results of the virtual machine to a database; A plurality of virtual machines having an analyzer configured to analyze a suspicious file received from the virtual machine controller, and transferring the suspicious file analysis result to the virtual machine controller; And a database storing statistical data for each IP, a file collected through a file collection engine, and a file analysis result of a virtual machine. Characterized in that it comprises a.
  • the present invention as described above can collect a file containing a command delivered to the suspect file and malicious code on the network through a packet combination and analyze it in a virtual machine.
  • network equipment performs traditional traffic-based tasks
  • virtual machines perform process-based PC-based analysis of executing and inspecting the corresponding files, securing security to the PC area that IPS or IDS could not fully satisfy. can do.
  • an organic security scheme is possible between the network and the client.
  • all the traffic flowing through the network can be monitored by performing bidirectional capture during mirroring.
  • dynamic heuristic signatures and traffic pattern signatures are automatically updated in real time according to various traffic or file analysis of the network and individual PCs, monitoring and results thereof. Therefore, when a file detected as a harmful program moves on the network, it can be immediately determined without further analysis. That is, it detects unknown DDos attack tools and malicious codes used in DDos attacks using the present invention, generates the details of the actions (C & C server IP, use port, communication type, etc.) as signatures and applies them to the security products that are built. This enables an integrated security system against large-scale DDos attacks and zero-day attacks.
  • 1 and 2 are a flow chart of a network-based malicious program detection method using a virtual machine of the present invention.
  • Figure 3 is a detailed flowchart of the data passed through the filtering engine in the network-based malicious program detection method using a virtual machine of the present invention.
  • FIG. 4 is a table showing a list of monitorable behaviors and their underlying data through dynamic heuristics.
  • FIG. 5 is a conceptual diagram illustrating an embodiment in which a dynamic heuristic engine matches a policy based on process behavior.
  • FIG. 6 is a flowchart illustrating an embodiment of a signature auto-update process of the virtual machine analyzer.
  • FIG. 7 is a flow chart illustrating an embodiment for adding, changing, and deleting signatures in a virtual machine analyzer.
  • FIG. 8 is a flow diagram illustrating an embodiment for signature auto-update of a packet filtering engine.
  • FIG. 9 is a flow chart showing the order in which file downloads are blocked when collecting malicious files using the present invention.
  • FIG. 10 is a block diagram of a network-based harmful program detection system using a virtual machine of the present invention.
  • Router 20 L4 Switch
  • mirroring module 120 filtering engine
  • 1 and 2 are flowcharts of a network-based malicious program detection method using the virtual machine 160 of the present invention.
  • the present invention relates to a network-based malicious program detection method using a virtual machine 160 to monitor the network and the entire individual user terminal 50 at the same time to detect malicious programs on the network. Analyzing the data; (b) filtering and blocking unnecessary packets by the filtering engine 120; (c) generating statistical data for each IP at which packet transmission and reception occurs; And (d) records the collected file through the filtering engine 120 in the database 170 and then transfers the suspicious file to the virtual machine controller 150, and the virtual machine controller 150 waits for the received suspicious file. Passing the data to one of the plurality of virtual machines 160 being analyzed so that the analyzer 162 of the virtual machine 160 analyzes the virtual machine 160; Characterized in that comprises a.
  • the present invention begins with analyzing all data of the network in a packet mirroring manner (step (a)).
  • the present invention uses a mirroring concept in which the tap 40 equipment is installed on the top of the network instead of the inline mode to capture all data flowing through the network in real time and use it for analysis. Therefore, it operates without overloading the network and does not cause any problem to the network even if a failure occurs.
  • the present invention by modifying the network device driver by using a technique capable of performing the communication between the driver and the application to achieve the highest speed, it is possible to allow the mirroring to achieve a sufficient capture performance.
  • bidirectional capture can occur simultaneously, allowing both traffic to be monitored.
  • the filtering engine 120 skips all unnecessary surveillance targets and data other than the surveillance region, and has surveillance IP / PORT and unmonitored IP / PORT target information.
  • the filtering engine 120 proceeds with pattern analysis by signatures to discover malicious packets that attempt to invade.
  • the address information and matching signature information of the packet are recorded in the database 170 log.
  • step (b) an unnecessary inspection object in the list is excluded from the inspection by using a white list.
  • the harmful traffic detection history can be stored separately in the database (170).
  • Steps may be selectively performed by the user. Agents are the minimum modules for performing blocking and can optionally be installed.
  • step (c) statistical information is generated by analyzing all IP, PORT, and PROTOCOL information in which packet transmission and reception occur.
  • Such statistical data may be stored separately in the database 170, and the data recorded in the database 170 may view the real-time traffic status by the web manager 230. By viewing the packet transmission and reception contents, it is possible to identify specific PCs that increase traffic, and identify transmission paths of harmful traffic or suspicious files.
  • information can be generated to centrally monitor the desired sub IP or group.
  • the suspect file is transferred to the virtual machine controller 150, and the virtual machine controller 150
  • the received suspicious file is delivered to one of the plurality of waiting virtual machines 160 and analyzed by the analyzer 162 of the virtual machine 160.
  • step (d) among the files passing through the filtering engine 120, executable files or files of a desired format are collected by the file collection engine 140.
  • the malware signature file can be extracted by comparing the pattern signature.
  • a file is collected from the packet information passing through the filtering engine 120, and the name and detailed information of the collected file are continuously recorded in the database 170 as a log.
  • the collected suspicious file is transferred to the virtual machine controller 150, and the virtual machine controller 150 delivers the suspicious file to the virtual machine 160.
  • the suspicious file is transmitted to the analyzer 162 which is a program for analyzing whether the suspicious file is malicious code by the virtual machine controller 150 and analyzed.
  • the analysis result is received by the virtual machine controller 150. It is delivered and stored in the database 170 again.
  • the files collected from the network may be the same file.
  • the file analyzed once can extract unique information, and the same file can be skipped without further analysis, thereby reducing unnecessary performance.
  • the database 170 is a file-based database 170 that can operate at a higher speed than the general database 170, and provides a function of storing and retrieving various data.
  • the database 170 stores not only file collection details, but also harmful traffic detection details, statistical data details by IP, and malware analysis details, which can be viewed through the web manager 230.
  • the virtual machine controller 150 copies, destroys, and operates the virtual machine 160 so that the collected suspect files can be inspected in the virtual machine.
  • the virtual machine 160 which analyzes the suspicious file and delivers the analysis result to the virtual machine controller 150 is destroyed.
  • the virtual machine controller 150 duplicates the virtual machine 160 as many times as the number of the destroyed virtual machine 160 so that the number of the virtual machine 160 remains the same.
  • the number of virtual machines 160 waiting is maintained to n, and when a collection file is added to a waiting queue to generate a virtual machine 160 that can be analyzed, several suspicious files may be delivered and analyzed up to n at the same time.
  • the virtual machine 160 is operated by a set number. When the virtual machine 160 is damaged, the virtual machine 160 is automatically generated and the virtual machine 160 is further operated.
  • the analyzer 162 automatically resets the virtual machine 160 after completing the test, and always waits to recreate the clone to check the suspicious file.
  • the analyzer 162 existing in the virtual machine 160 is an agent program for analyzing whether the transferred suspicious file is malicious code, and is automatically operated when the virtual machine 160 is executed.
  • the analyzer 162 executes and analyzes the suspicious file and transmits the suspect file to the virtual machine controller 150.
  • the analyzer 162 includes an engine that monitors the use of native functions of the OS based on behavior and analyzes harmful programs by dynamic heuristic techniques.
  • the suspicious file matched by the dynamic heuristic decision policy terminates the analysis, and transmits the policy content and suspicious file information that detects the suspicious file to the virtual machine controller 150.
  • the suspicious file which is not detected by the policy transmits the detailed behavior history and process information by the behavior-based native function usage monitoring to the virtual machine controller 150 and finishes the analysis.
  • the communication between the virtual machine controller 150 and the virtual machine analyzer 162 is a path directly connected to the OS, not a path of the existing malicious code, and the malware cannot move through this path. Therefore, the virus cannot be spread to the outside of the virtual machine 160, so it is safe.
  • the malicious code is executed in the virtual machine 160 such as a PC environment, the behavior and characteristics of the malicious code at the time of execution can be analyzed.
  • FIG. 4 is a table showing a list of monitorable behaviors and their underlying data through dynamic heuristics.
  • the dynamic heuristic engine monitors the series of actions shown in FIG. 4, and a combination of these actions creates a policy.
  • the process of performing a combination of these actions is matched to the policy upon detection, matching not only a single action but also the nature of the scenario in which the actions are combined.
  • policies can be used to reduce false positives that are detected by normal processes as compared to detecting single actions, and to reflect in detail the behavior patterns of malware.
  • FIG. 5 is a conceptual diagram of a dynamic heuristic engine matching a policy based on process behavior.
  • action A, action B, action C is the policy set in the dynamic heuristic engine.
  • the collected file arrives at the analyzer 162 of the virtual machine 160, the file is executed, from which the behavior of the process is compared in real time.
  • the harmful program 1, variant 1-1, variant 1-2, and new species 1 differ in some degree from each other, but include all of the above policies. Therefore, they all match.
  • This behavior-based detection / matching technique can detect newly emerging malware with one policy because its behavior does not change well even if the simple pattern signature of malicious code changes or variants appear.
  • this policy is basically a concept of combination, so normal programs that don't match the combination are not detected. Therefore, the false positive rate can be reduced.
  • the analysis result of the virtual machine 160 of step (d) may be transmitted to the virtual machine controller 150 and then stored in the database 170 (step (e)).
  • Network-based malicious program detection method using the virtual machine 160 of the present invention is the pattern signature of the suspect file extracted from the virtual machine 160 after the step (e) of the filtering engine 120 and the virtual machine 160 And automatically updating the analyzer 162 (step (f)).
  • suspicious files analyzed as malicious programs automatically generate pattern signatures from the files, and signatures for traffic monitoring and dynamic heuristics for analyzers and signatures for detection through behavior combinations are automatically extracted and filtered. 120 and update the pattern of analyzer 162.
  • the pattern updated in the filtering engine 120 is a malicious code signature or a harmful traffic signature, and the signature of the malicious code itself is set so that the malicious code detection is completed immediately without having to check again in the analyzer 162. If a traffic pattern signature is detected, the file is not analyzed by analyzer 162 and detection is completed with traffic detection.
  • FIG. 6 is a flowchart illustrating an embodiment of a signature automatic update process of the virtual machine analyzer 162.
  • the file collection engine 140 may collect a file having a set format. After file collection is completed, the file collection engine 140 may analyze the virtual machine 160 to know whether the file is malicious.
  • the malicious file is operated in the virtual machine 160 to analyze the malicious behavior by comparing with the dynamic heuristic signature, and when it is determined to be a malicious file, the signature for the malicious file is automatically obtained and automatically registered in the database 170 next time. If detected, it is detected immediately, and the virtual machine clone is deleted and then restored.
  • the signature for the file is obtained. If the same signature exists in the database 170, the virtual machine 160 immediately detects the malicious program without detecting an action.
  • FIG. 7 is a flowchart illustrating an embodiment of adding, changing, and deleting signatures of the virtual machine analyzer 162.
  • the signature update of the analyzer 162 may be enabled only for the dynamic heuristic signature, except for the already verified signature value and the static heuristic signature attached to the analyzer engine.
  • a scenario that is a dynamic heuristic signature may be manually added, changed, or deleted according to a user's request.
  • a new scenario (dynamic heuristic signature) can be added if there is a misdetection of a suspected file, and a scenario can be changed or deleted if a misdetection occurs when detecting using an existing scenario.
  • the scenario is composed of various types of actions, and the action can be added with parameters to further refine the scenario.
  • FIG. 8 is a flowchart illustrating an embodiment of signature automatic update of the packet filtering engine 120.
  • the built-in signature of the packet filtering engine 120 is encrypted and stored as a file, and is used for real-time detection of malicious packets by parsing during initial operation. This signature can detect DDos and Exploit attacks.
  • the attack packet detected by the virtual machine 160 automatically updates the signature in the database 170 when the simulation attack succeeds, recovers the damage caused by the simulation attack to its original state, and waits for the simulation attack of another malicious packet.
  • attack packets such as signatures detected in the virtual machine 160
  • the malicious packet is reported to be detected immediately without rescanning in the virtual machine 160.
  • Network based malicious program detection method using the virtual machine 160 of the present invention to determine the location of the transmission and reception of harmful traffic by monitoring the traffic status in real time between the step (c) and (d) And / or periodically performing a Taint check to determine whether a system file is damaged, and if a damaged system file is found, recovering the system to a backup file using the system backup and recovery module 220. It is done.
  • Taint test keeps data such as checksum of OS modules and periodically checks whether the file of the system is damaged or inoperable.
  • system backup and recovery module 220 is used to backup the entire system to the original backup version. After recovery, reboot and return to normal.
  • the backup file backs up the current state when the system is running, always keeping the latest version.
  • the original backup file can be stored in a compressed format and can be configured to operate according to the backup cycle.
  • the present invention is characterized in that the administrator can check each step through the web manager (230).
  • Web manager 230 is a management tool that allows you to see the contents of the present invention from mirroring to file analysis and action results at a glance.
  • the web manager 230 provides network statistics for IP / PORT / PROTOCOL for the packets monitored by mirroring to distinguish each PC, and outputs real-time file collection details and analysis results on the screen.
  • the signature analysis and analysis added by the virtual machine 160 and harmful traffic detection history detected at the traffic level and the target information for transmitting and receiving the traffic is also provided.
  • the analyzed file is provided to the administrator through the web manager 230 for further analysis and action at national agencies and cyber control centers.
  • the report on the detailed data of the entire system from the past to the present can be output to a screen or a printer, or as a file. Provides the ability to save.
  • FIG. 9 is a flowchart showing the order in which file downloads are blocked when collecting malicious files using the present invention.
  • FIG. 9 shows a situation in which a PE header of executable files detected as a malicious file is stored for this purpose, and when a file matching the PE header is downloaded, a TCP RST signal is sent to the server to block the file transfer. .
  • the present invention relates to a system for detecting harmful programs on a network by simultaneously monitoring the entire network and individual user terminals 50, the mirroring module 100 for mirroring data on the network;
  • a filtering module for filtering out unnecessary packets from the packets passing through the mirroring module 100 by the filtering engine 120;
  • a data generation module 130 for forming statistical data for each IP in which packet transmission and reception occur in a network;
  • a file collection engine 140 for collecting data passing through the filtering engine 120; It controls the copying, destruction, and operation of the virtual machine 160, and transfers suspicious files among the collected files to the virtual machine 160, while transferring suspicious file analysis results of the virtual machine 160 to the database 170.
  • Virtual machine controller 150 A plurality of virtual machines 160 having an analyzer 162 therein that analyzes the suspicious file received from the virtual machine controller 150, and transmits the suspicious file analysis result to the virtual machine controller 150; And a database 170 storing statistical data for each IP, a file collected through the file collection engine 140, and a file analysis result of the virtual machine 160. It includes a network-based harmful program detection system using a virtual machine 160, characterized in that it comprises (see Figs. 1 and 10).
  • the filtering module extracts harmful traffic in comparison with the pattern signature of the traffic, and detects and blocks a module 180 which transmits a reject signal to a harmful file transmission / reception target and blocks transmission and reception; And a notification module 190 for notifying a user of blocking transmission and reception of harmful files.
  • the database 170 is characterized in that further stores the harmful traffic detection history.
  • the filtering module is a process blocking module 200 for instructing the blocking of the process of generating harmful traffic to the agent dedicated to blocking of harmful traffic generating PC; Can be installed by user's choice.
  • the present invention provides a check module 210 for checking whether a system file is damaged by Taint test; A backup and recovery module 220 for recovering a damaged system file using the backup file; And a web manager 230 that monitors all data and operations on the system in real time.
  • An update module for automatically updating the filtering engine 120 and the analyzer 162 of the virtual machine 160 with the pattern signature of the suspect file extracted from the virtual machine 160; It characterized in that it further comprises.
  • the web manager 230 performs a function of logging in and logging off a system, a function of viewing an on / off state or operating state of each module, and an entire system operation log, and storing and outputting data desired by an administrator.
  • Description of each module in the network-based malicious program detection system using the virtual machine 160 of the present invention includes the above-described information in each step of the network-based malicious program detection method using the virtual machine 160.

Abstract

La présente invention concerne un procédé et un système servant à détecter des programme malveillants sur un réseau en contrôlant simultanément le réseau et des terminaux utilisateurs comme un tout, et l'invention comprend un procédé de détection de programmes malveillants basé sur le réseau utilisant une machine virtuelle, dont les étapes consistent : (a) à analyser toutes les données de réseau en utilisant l'écriture miroir des paquets ; (b) à bloquer les paquets inutiles en filtrant au moyen d'un moteur de filtrage ; (c) à générer des données statistiques spécifiques à chaque IP d'où les paquets sont émis et reçus ; et (d) à enregistrer, sur une base de données, des fichiers qui ont été collectés à travers un moteur de filtrage, puis à transmettre un fichier suspect à une commande de machine virtuelle, et à faire en sorte que la commande de machine virtuelle transmette le fichier suspect transmis à l'une d'une pluralité de machines virtuelles, qui sont en veille, pour analyse dans une analyseur de la machine virtuelle, et l'invention comprend aussi un système pour le procédé.
PCT/KR2010/007133 2010-08-16 2010-10-18 Procédé de détection de programmes malveillants basé sur un réseau utilisant une machine virtuelle et système le comprenant WO2012023657A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR20100078593 2010-08-16
KR10-2010-0078593 2010-08-16

Publications (1)

Publication Number Publication Date
WO2012023657A1 true WO2012023657A1 (fr) 2012-02-23

Family

ID=45605305

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2010/007133 WO2012023657A1 (fr) 2010-08-16 2010-10-18 Procédé de détection de programmes malveillants basé sur un réseau utilisant une machine virtuelle et système le comprenant

Country Status (1)

Country Link
WO (1) WO2012023657A1 (fr)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015006110A1 (fr) * 2013-07-11 2015-01-15 Symantec Corporation Identification d'un abus d'objets légitimes
WO2016018852A1 (fr) * 2014-07-31 2016-02-04 Intuit Inc. Procédé et système pour corréler des données d'actifs virtuels auto-rapporteurs avec des événements externes pour générer une base de données d'identificateurs d'événements externes
US20160162685A1 (en) * 2014-12-08 2016-06-09 Vmware, Inc. Monitoring application execution in a clone of a virtual computing instance for application whitelisting
US9742794B2 (en) 2014-05-27 2017-08-22 Intuit Inc. Method and apparatus for automating threat model generation and pattern identification
US9888025B2 (en) 2014-02-27 2018-02-06 Intuit Inc. Method and system for providing an efficient asset management and verification service
US9923909B2 (en) 2014-02-03 2018-03-20 Intuit Inc. System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment
US10102082B2 (en) 2014-07-31 2018-10-16 Intuit Inc. Method and system for providing automated self-healing virtual assets
US10121007B2 (en) 2014-02-21 2018-11-06 Intuit Inc. Method and system for providing a robust and efficient virtual asset vulnerability management and verification service
KR101953824B1 (ko) * 2017-10-27 2019-03-05 아토리서치(주) 소프트웨어 정의 네트워킹을 이용한 네트워크 기능 가상화 장치 및 그 동작 방법
US10757133B2 (en) 2014-02-21 2020-08-25 Intuit Inc. Method and system for creating and deploying virtual assets
US11294700B2 (en) 2014-04-18 2022-04-05 Intuit Inc. Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100870871B1 (ko) * 2008-05-29 2008-11-27 (주)한드림넷 액세스레벨에서의 유해트래픽 차단장치 및 보안시스템
KR20100046523A (ko) * 2008-10-27 2010-05-07 (주)소만사 유해 사이트 차단 장치 및 방법

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100870871B1 (ko) * 2008-05-29 2008-11-27 (주)한드림넷 액세스레벨에서의 유해트래픽 차단장치 및 보안시스템
KR20100046523A (ko) * 2008-10-27 2010-05-07 (주)소만사 유해 사이트 차단 장치 및 방법

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CHAN KYOU HWANG ET AL.: "Design of Implementation on real-time Anomaly Traffic Lookup & Analysis System", KNOM REVIEW, vol. 10, no. 1, August 2007 (2007-08-01) *
JUNG TAEK SEO: "Detecting Scheme of malicious Codes using virtual environments", JOURNAL OF KOREA INSTITUTE OF INFORMATION SECURITY & CRYPTOLOGY, vol. 17, no. 4, August 2007 (2007-08-01) *

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9276947B2 (en) 2013-07-11 2016-03-01 Symantec Corporation Identifying misuse of legitimate objects
US9075989B2 (en) 2013-07-11 2015-07-07 Symantec Corporation Identifying misuse of legitimate objects
WO2015006110A1 (fr) * 2013-07-11 2015-01-15 Symantec Corporation Identification d'un abus d'objets légitimes
US9923909B2 (en) 2014-02-03 2018-03-20 Intuit Inc. System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment
US10360062B2 (en) 2014-02-03 2019-07-23 Intuit Inc. System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment
US10757133B2 (en) 2014-02-21 2020-08-25 Intuit Inc. Method and system for creating and deploying virtual assets
US10121007B2 (en) 2014-02-21 2018-11-06 Intuit Inc. Method and system for providing a robust and efficient virtual asset vulnerability management and verification service
US11411984B2 (en) 2014-02-21 2022-08-09 Intuit Inc. Replacing a potentially threatening virtual asset
US9888025B2 (en) 2014-02-27 2018-02-06 Intuit Inc. Method and system for providing an efficient asset management and verification service
US10055247B2 (en) 2014-04-18 2018-08-21 Intuit Inc. Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets
US11294700B2 (en) 2014-04-18 2022-04-05 Intuit Inc. Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets
US9742794B2 (en) 2014-05-27 2017-08-22 Intuit Inc. Method and apparatus for automating threat model generation and pattern identification
WO2016018852A1 (fr) * 2014-07-31 2016-02-04 Intuit Inc. Procédé et système pour corréler des données d'actifs virtuels auto-rapporteurs avec des événements externes pour générer une base de données d'identificateurs d'événements externes
US9516044B2 (en) 2014-07-31 2016-12-06 Intuit Inc. Method and system for correlating self-reporting virtual asset data with external events to generate an external event identification database
US10102082B2 (en) 2014-07-31 2018-10-16 Intuit Inc. Method and system for providing automated self-healing virtual assets
AU2015296801B2 (en) * 2014-07-31 2020-06-25 Intuit Inc. Method and system for correlating self-reporting virtual asset data with external events to generate an external event identification database
US20160162685A1 (en) * 2014-12-08 2016-06-09 Vmware, Inc. Monitoring application execution in a clone of a virtual computing instance for application whitelisting
US10726119B2 (en) * 2014-12-08 2020-07-28 Vmware, Inc. Monitoring application execution in a clone of a virtual computing instance for application whitelisting
KR101953824B1 (ko) * 2017-10-27 2019-03-05 아토리서치(주) 소프트웨어 정의 네트워킹을 이용한 네트워크 기능 가상화 장치 및 그 동작 방법

Similar Documents

Publication Publication Date Title
WO2012023657A1 (fr) Procédé de détection de programmes malveillants basé sur un réseau utilisant une machine virtuelle et système le comprenant
WO2011105659A1 (fr) Système, procédé, programme, et support d'enregistrement pour la détection et le blocage en temps réel de programmes nuisibles par le biais d'analyse comportementale d'un processus
US7197762B2 (en) Method, computer readable medium, and node for a three-layered intrusion prevention system for detecting network exploits
EP1495616B1 (fr) Detection et neutralisation de code malveillant dans des reseaux d'entreprise
US7444679B2 (en) Network, method and computer readable medium for distributing security updates to select nodes on a network
CA2533853C (fr) Procede et systeme de detection d'une utilisation non autorisee d'un reseau de communications
WO2011010823A2 (fr) Procédé de détection et d'arrêt d'une attaque par déni de service distribué (ddos) via l'informatique dématérialisée, et serveur
US7200866B2 (en) System and method for defending against distributed denial-of-service attack on active network
WO2012015171A2 (fr) Dispositif de commande à sécurité intégrée contre virus de piratage informatique
US6895432B2 (en) IP network system having unauthorized intrusion safeguard function
WO2017069348A1 (fr) Procédé et dispositif permettant de vérifier automatiquement un événement de sécurité
WO2018107811A1 (fr) Procédé et appareil de défense conjointe pour la sécurité d'un réseau, serveur et support de stockage
US20030084326A1 (en) Method, node and computer readable medium for identifying data in a network exploit
US20100031093A1 (en) Internal tracing method for network attack detection
JPH09214493A (ja) ネットワークシステム
WO2012108687A2 (fr) Procédé de détection d'attaques par usurpation arp à l'aide d'un verrouillage arp et support d'enregistrement lisible par ordinateur stockant un programme servant à exécuter le procédé
WO2015129934A1 (fr) Procédé et dispositif de détection de canal de contrôle de commande
WO2019231135A1 (fr) Système de détection d'intrusion et de protection de véhicule
WO2017171188A1 (fr) Dispositif de sécurité utilisant des informations de transaction recueillies à partir d'un serveur d'application web ou d'un serveur web
Hegazy et al. A multi-agent based system for intrusion detection
CN113794590B (zh) 处理网络安全态势感知信息的方法、装置及系统
WO2003021402A2 (fr) Securite de reseau
KR101871406B1 (ko) 화이트리스트를 이용한 제어시스템의 보안관제 방법 및 이를 위한 시스템
WO2013125867A1 (fr) Système informatique et système pour la création de règles composées sur la base de fichiers et de comportements
Ye et al. Research on network security protection strategy

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10856199

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10856199

Country of ref document: EP

Kind code of ref document: A1