WO2012023657A1 - Procédé de détection de programmes malveillants basé sur un réseau utilisant une machine virtuelle et système le comprenant - Google Patents
Procédé de détection de programmes malveillants basé sur un réseau utilisant une machine virtuelle et système le comprenant Download PDFInfo
- Publication number
- WO2012023657A1 WO2012023657A1 PCT/KR2010/007133 KR2010007133W WO2012023657A1 WO 2012023657 A1 WO2012023657 A1 WO 2012023657A1 KR 2010007133 W KR2010007133 W KR 2010007133W WO 2012023657 A1 WO2012023657 A1 WO 2012023657A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- virtual machine
- network
- file
- harmful
- traffic
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Definitions
- the present invention relates to a network-based malicious program detection method and system using a virtual machine for monitoring the network and the entire individual user terminal at the same time to detect malicious programs on the network.
- the network security equipment determines whether the malicious code is the only event in the network area. Therefore, in case of excessive traffic, DDos attack, IP / MAC / ARP tampering attack by zombie PC, there is a limit that you cannot directly control the PC or malicious code existing in the network.
- malicious codes were collected by collecting malicious codes and analyzing these malicious codes by applying them to individual PCs.
- the existing security devices capture and analyze the information flowing through the network in one direction only, analyze the collected files through simple pattern comparison method without dynamic heuristic function, and do only the traffic based analysis.
- agent-based security solutions operating on conventional PCs can obtain the pattern information or files of malicious codes at the process level by monitoring the status of individual PCs, but it is difficult to know the status of the entire network and agents. The disadvantage is that all must be installed.
- the present invention detects and monitors not only traffic and packets on the network, but also zombies operating in the client and worms affecting the network, in conjunction with agents in the client, thereby ensuring organic security between the network and the client.
- the present invention aims to provide a network-based malicious program detection method using a virtual machine capable of system and a system thereof.
- the present invention provides a network-based malicious program detection method and system using a virtual machine capable of bidirectional capture of packets flowing through a network and reducing false positive rates when analyzing collected data.
- the present invention is to provide a network-based malicious program detection method and system using a virtual machine that can prevent the zombie PC and zero-day attack by real-time monitoring and updating the various traffic or files of the network and individual PC.
- the present invention relates to a method and system for detecting harmful programs on a network by simultaneously monitoring the entire network and individual user terminals.
- a network-based malicious program detection method using a virtual machine includes: (a) analyzing all data of a network by packet mirroring; (b) filtering and blocking unnecessary packets by the filtering engine; (c) generating statistical data for each IP at which packet transmission and reception occurs; And (d) writes the collected files through a filtering engine to a database and transfers the suspect files to the virtual machine controller, and the virtual machine controller delivers the received suspicious files to one of a plurality of waiting virtual machines. Analyzing at the analyzer; Characterized in that comprises a.
- the network-based malicious program detection system using a virtual machine includes a mirroring module for mirroring data on the network; A filtering module for blocking unnecessary packets from the packets passing through the mirroring module by filtering the filtering engine; A data generation module for forming statistical data for each IP in which packet transmission and reception occur in a network; A file collection engine for collecting data passing through the filtering engine; A virtual machine controller controlling copying, destroying, and running of the virtual machine, transferring suspicious files among collected files to the virtual machine, and transferring suspicious file analysis results of the virtual machine to a database; A plurality of virtual machines having an analyzer configured to analyze a suspicious file received from the virtual machine controller, and transferring the suspicious file analysis result to the virtual machine controller; And a database storing statistical data for each IP, a file collected through a file collection engine, and a file analysis result of a virtual machine. Characterized in that it comprises a.
- the present invention as described above can collect a file containing a command delivered to the suspect file and malicious code on the network through a packet combination and analyze it in a virtual machine.
- network equipment performs traditional traffic-based tasks
- virtual machines perform process-based PC-based analysis of executing and inspecting the corresponding files, securing security to the PC area that IPS or IDS could not fully satisfy. can do.
- an organic security scheme is possible between the network and the client.
- all the traffic flowing through the network can be monitored by performing bidirectional capture during mirroring.
- dynamic heuristic signatures and traffic pattern signatures are automatically updated in real time according to various traffic or file analysis of the network and individual PCs, monitoring and results thereof. Therefore, when a file detected as a harmful program moves on the network, it can be immediately determined without further analysis. That is, it detects unknown DDos attack tools and malicious codes used in DDos attacks using the present invention, generates the details of the actions (C & C server IP, use port, communication type, etc.) as signatures and applies them to the security products that are built. This enables an integrated security system against large-scale DDos attacks and zero-day attacks.
- 1 and 2 are a flow chart of a network-based malicious program detection method using a virtual machine of the present invention.
- Figure 3 is a detailed flowchart of the data passed through the filtering engine in the network-based malicious program detection method using a virtual machine of the present invention.
- FIG. 4 is a table showing a list of monitorable behaviors and their underlying data through dynamic heuristics.
- FIG. 5 is a conceptual diagram illustrating an embodiment in which a dynamic heuristic engine matches a policy based on process behavior.
- FIG. 6 is a flowchart illustrating an embodiment of a signature auto-update process of the virtual machine analyzer.
- FIG. 7 is a flow chart illustrating an embodiment for adding, changing, and deleting signatures in a virtual machine analyzer.
- FIG. 8 is a flow diagram illustrating an embodiment for signature auto-update of a packet filtering engine.
- FIG. 9 is a flow chart showing the order in which file downloads are blocked when collecting malicious files using the present invention.
- FIG. 10 is a block diagram of a network-based harmful program detection system using a virtual machine of the present invention.
- Router 20 L4 Switch
- mirroring module 120 filtering engine
- 1 and 2 are flowcharts of a network-based malicious program detection method using the virtual machine 160 of the present invention.
- the present invention relates to a network-based malicious program detection method using a virtual machine 160 to monitor the network and the entire individual user terminal 50 at the same time to detect malicious programs on the network. Analyzing the data; (b) filtering and blocking unnecessary packets by the filtering engine 120; (c) generating statistical data for each IP at which packet transmission and reception occurs; And (d) records the collected file through the filtering engine 120 in the database 170 and then transfers the suspicious file to the virtual machine controller 150, and the virtual machine controller 150 waits for the received suspicious file. Passing the data to one of the plurality of virtual machines 160 being analyzed so that the analyzer 162 of the virtual machine 160 analyzes the virtual machine 160; Characterized in that comprises a.
- the present invention begins with analyzing all data of the network in a packet mirroring manner (step (a)).
- the present invention uses a mirroring concept in which the tap 40 equipment is installed on the top of the network instead of the inline mode to capture all data flowing through the network in real time and use it for analysis. Therefore, it operates without overloading the network and does not cause any problem to the network even if a failure occurs.
- the present invention by modifying the network device driver by using a technique capable of performing the communication between the driver and the application to achieve the highest speed, it is possible to allow the mirroring to achieve a sufficient capture performance.
- bidirectional capture can occur simultaneously, allowing both traffic to be monitored.
- the filtering engine 120 skips all unnecessary surveillance targets and data other than the surveillance region, and has surveillance IP / PORT and unmonitored IP / PORT target information.
- the filtering engine 120 proceeds with pattern analysis by signatures to discover malicious packets that attempt to invade.
- the address information and matching signature information of the packet are recorded in the database 170 log.
- step (b) an unnecessary inspection object in the list is excluded from the inspection by using a white list.
- the harmful traffic detection history can be stored separately in the database (170).
- Steps may be selectively performed by the user. Agents are the minimum modules for performing blocking and can optionally be installed.
- step (c) statistical information is generated by analyzing all IP, PORT, and PROTOCOL information in which packet transmission and reception occur.
- Such statistical data may be stored separately in the database 170, and the data recorded in the database 170 may view the real-time traffic status by the web manager 230. By viewing the packet transmission and reception contents, it is possible to identify specific PCs that increase traffic, and identify transmission paths of harmful traffic or suspicious files.
- information can be generated to centrally monitor the desired sub IP or group.
- the suspect file is transferred to the virtual machine controller 150, and the virtual machine controller 150
- the received suspicious file is delivered to one of the plurality of waiting virtual machines 160 and analyzed by the analyzer 162 of the virtual machine 160.
- step (d) among the files passing through the filtering engine 120, executable files or files of a desired format are collected by the file collection engine 140.
- the malware signature file can be extracted by comparing the pattern signature.
- a file is collected from the packet information passing through the filtering engine 120, and the name and detailed information of the collected file are continuously recorded in the database 170 as a log.
- the collected suspicious file is transferred to the virtual machine controller 150, and the virtual machine controller 150 delivers the suspicious file to the virtual machine 160.
- the suspicious file is transmitted to the analyzer 162 which is a program for analyzing whether the suspicious file is malicious code by the virtual machine controller 150 and analyzed.
- the analysis result is received by the virtual machine controller 150. It is delivered and stored in the database 170 again.
- the files collected from the network may be the same file.
- the file analyzed once can extract unique information, and the same file can be skipped without further analysis, thereby reducing unnecessary performance.
- the database 170 is a file-based database 170 that can operate at a higher speed than the general database 170, and provides a function of storing and retrieving various data.
- the database 170 stores not only file collection details, but also harmful traffic detection details, statistical data details by IP, and malware analysis details, which can be viewed through the web manager 230.
- the virtual machine controller 150 copies, destroys, and operates the virtual machine 160 so that the collected suspect files can be inspected in the virtual machine.
- the virtual machine 160 which analyzes the suspicious file and delivers the analysis result to the virtual machine controller 150 is destroyed.
- the virtual machine controller 150 duplicates the virtual machine 160 as many times as the number of the destroyed virtual machine 160 so that the number of the virtual machine 160 remains the same.
- the number of virtual machines 160 waiting is maintained to n, and when a collection file is added to a waiting queue to generate a virtual machine 160 that can be analyzed, several suspicious files may be delivered and analyzed up to n at the same time.
- the virtual machine 160 is operated by a set number. When the virtual machine 160 is damaged, the virtual machine 160 is automatically generated and the virtual machine 160 is further operated.
- the analyzer 162 automatically resets the virtual machine 160 after completing the test, and always waits to recreate the clone to check the suspicious file.
- the analyzer 162 existing in the virtual machine 160 is an agent program for analyzing whether the transferred suspicious file is malicious code, and is automatically operated when the virtual machine 160 is executed.
- the analyzer 162 executes and analyzes the suspicious file and transmits the suspect file to the virtual machine controller 150.
- the analyzer 162 includes an engine that monitors the use of native functions of the OS based on behavior and analyzes harmful programs by dynamic heuristic techniques.
- the suspicious file matched by the dynamic heuristic decision policy terminates the analysis, and transmits the policy content and suspicious file information that detects the suspicious file to the virtual machine controller 150.
- the suspicious file which is not detected by the policy transmits the detailed behavior history and process information by the behavior-based native function usage monitoring to the virtual machine controller 150 and finishes the analysis.
- the communication between the virtual machine controller 150 and the virtual machine analyzer 162 is a path directly connected to the OS, not a path of the existing malicious code, and the malware cannot move through this path. Therefore, the virus cannot be spread to the outside of the virtual machine 160, so it is safe.
- the malicious code is executed in the virtual machine 160 such as a PC environment, the behavior and characteristics of the malicious code at the time of execution can be analyzed.
- FIG. 4 is a table showing a list of monitorable behaviors and their underlying data through dynamic heuristics.
- the dynamic heuristic engine monitors the series of actions shown in FIG. 4, and a combination of these actions creates a policy.
- the process of performing a combination of these actions is matched to the policy upon detection, matching not only a single action but also the nature of the scenario in which the actions are combined.
- policies can be used to reduce false positives that are detected by normal processes as compared to detecting single actions, and to reflect in detail the behavior patterns of malware.
- FIG. 5 is a conceptual diagram of a dynamic heuristic engine matching a policy based on process behavior.
- action A, action B, action C is the policy set in the dynamic heuristic engine.
- the collected file arrives at the analyzer 162 of the virtual machine 160, the file is executed, from which the behavior of the process is compared in real time.
- the harmful program 1, variant 1-1, variant 1-2, and new species 1 differ in some degree from each other, but include all of the above policies. Therefore, they all match.
- This behavior-based detection / matching technique can detect newly emerging malware with one policy because its behavior does not change well even if the simple pattern signature of malicious code changes or variants appear.
- this policy is basically a concept of combination, so normal programs that don't match the combination are not detected. Therefore, the false positive rate can be reduced.
- the analysis result of the virtual machine 160 of step (d) may be transmitted to the virtual machine controller 150 and then stored in the database 170 (step (e)).
- Network-based malicious program detection method using the virtual machine 160 of the present invention is the pattern signature of the suspect file extracted from the virtual machine 160 after the step (e) of the filtering engine 120 and the virtual machine 160 And automatically updating the analyzer 162 (step (f)).
- suspicious files analyzed as malicious programs automatically generate pattern signatures from the files, and signatures for traffic monitoring and dynamic heuristics for analyzers and signatures for detection through behavior combinations are automatically extracted and filtered. 120 and update the pattern of analyzer 162.
- the pattern updated in the filtering engine 120 is a malicious code signature or a harmful traffic signature, and the signature of the malicious code itself is set so that the malicious code detection is completed immediately without having to check again in the analyzer 162. If a traffic pattern signature is detected, the file is not analyzed by analyzer 162 and detection is completed with traffic detection.
- FIG. 6 is a flowchart illustrating an embodiment of a signature automatic update process of the virtual machine analyzer 162.
- the file collection engine 140 may collect a file having a set format. After file collection is completed, the file collection engine 140 may analyze the virtual machine 160 to know whether the file is malicious.
- the malicious file is operated in the virtual machine 160 to analyze the malicious behavior by comparing with the dynamic heuristic signature, and when it is determined to be a malicious file, the signature for the malicious file is automatically obtained and automatically registered in the database 170 next time. If detected, it is detected immediately, and the virtual machine clone is deleted and then restored.
- the signature for the file is obtained. If the same signature exists in the database 170, the virtual machine 160 immediately detects the malicious program without detecting an action.
- FIG. 7 is a flowchart illustrating an embodiment of adding, changing, and deleting signatures of the virtual machine analyzer 162.
- the signature update of the analyzer 162 may be enabled only for the dynamic heuristic signature, except for the already verified signature value and the static heuristic signature attached to the analyzer engine.
- a scenario that is a dynamic heuristic signature may be manually added, changed, or deleted according to a user's request.
- a new scenario (dynamic heuristic signature) can be added if there is a misdetection of a suspected file, and a scenario can be changed or deleted if a misdetection occurs when detecting using an existing scenario.
- the scenario is composed of various types of actions, and the action can be added with parameters to further refine the scenario.
- FIG. 8 is a flowchart illustrating an embodiment of signature automatic update of the packet filtering engine 120.
- the built-in signature of the packet filtering engine 120 is encrypted and stored as a file, and is used for real-time detection of malicious packets by parsing during initial operation. This signature can detect DDos and Exploit attacks.
- the attack packet detected by the virtual machine 160 automatically updates the signature in the database 170 when the simulation attack succeeds, recovers the damage caused by the simulation attack to its original state, and waits for the simulation attack of another malicious packet.
- attack packets such as signatures detected in the virtual machine 160
- the malicious packet is reported to be detected immediately without rescanning in the virtual machine 160.
- Network based malicious program detection method using the virtual machine 160 of the present invention to determine the location of the transmission and reception of harmful traffic by monitoring the traffic status in real time between the step (c) and (d) And / or periodically performing a Taint check to determine whether a system file is damaged, and if a damaged system file is found, recovering the system to a backup file using the system backup and recovery module 220. It is done.
- Taint test keeps data such as checksum of OS modules and periodically checks whether the file of the system is damaged or inoperable.
- system backup and recovery module 220 is used to backup the entire system to the original backup version. After recovery, reboot and return to normal.
- the backup file backs up the current state when the system is running, always keeping the latest version.
- the original backup file can be stored in a compressed format and can be configured to operate according to the backup cycle.
- the present invention is characterized in that the administrator can check each step through the web manager (230).
- Web manager 230 is a management tool that allows you to see the contents of the present invention from mirroring to file analysis and action results at a glance.
- the web manager 230 provides network statistics for IP / PORT / PROTOCOL for the packets monitored by mirroring to distinguish each PC, and outputs real-time file collection details and analysis results on the screen.
- the signature analysis and analysis added by the virtual machine 160 and harmful traffic detection history detected at the traffic level and the target information for transmitting and receiving the traffic is also provided.
- the analyzed file is provided to the administrator through the web manager 230 for further analysis and action at national agencies and cyber control centers.
- the report on the detailed data of the entire system from the past to the present can be output to a screen or a printer, or as a file. Provides the ability to save.
- FIG. 9 is a flowchart showing the order in which file downloads are blocked when collecting malicious files using the present invention.
- FIG. 9 shows a situation in which a PE header of executable files detected as a malicious file is stored for this purpose, and when a file matching the PE header is downloaded, a TCP RST signal is sent to the server to block the file transfer. .
- the present invention relates to a system for detecting harmful programs on a network by simultaneously monitoring the entire network and individual user terminals 50, the mirroring module 100 for mirroring data on the network;
- a filtering module for filtering out unnecessary packets from the packets passing through the mirroring module 100 by the filtering engine 120;
- a data generation module 130 for forming statistical data for each IP in which packet transmission and reception occur in a network;
- a file collection engine 140 for collecting data passing through the filtering engine 120; It controls the copying, destruction, and operation of the virtual machine 160, and transfers suspicious files among the collected files to the virtual machine 160, while transferring suspicious file analysis results of the virtual machine 160 to the database 170.
- Virtual machine controller 150 A plurality of virtual machines 160 having an analyzer 162 therein that analyzes the suspicious file received from the virtual machine controller 150, and transmits the suspicious file analysis result to the virtual machine controller 150; And a database 170 storing statistical data for each IP, a file collected through the file collection engine 140, and a file analysis result of the virtual machine 160. It includes a network-based harmful program detection system using a virtual machine 160, characterized in that it comprises (see Figs. 1 and 10).
- the filtering module extracts harmful traffic in comparison with the pattern signature of the traffic, and detects and blocks a module 180 which transmits a reject signal to a harmful file transmission / reception target and blocks transmission and reception; And a notification module 190 for notifying a user of blocking transmission and reception of harmful files.
- the database 170 is characterized in that further stores the harmful traffic detection history.
- the filtering module is a process blocking module 200 for instructing the blocking of the process of generating harmful traffic to the agent dedicated to blocking of harmful traffic generating PC; Can be installed by user's choice.
- the present invention provides a check module 210 for checking whether a system file is damaged by Taint test; A backup and recovery module 220 for recovering a damaged system file using the backup file; And a web manager 230 that monitors all data and operations on the system in real time.
- An update module for automatically updating the filtering engine 120 and the analyzer 162 of the virtual machine 160 with the pattern signature of the suspect file extracted from the virtual machine 160; It characterized in that it further comprises.
- the web manager 230 performs a function of logging in and logging off a system, a function of viewing an on / off state or operating state of each module, and an entire system operation log, and storing and outputting data desired by an administrator.
- Description of each module in the network-based malicious program detection system using the virtual machine 160 of the present invention includes the above-described information in each step of the network-based malicious program detection method using the virtual machine 160.
Abstract
La présente invention concerne un procédé et un système servant à détecter des programme malveillants sur un réseau en contrôlant simultanément le réseau et des terminaux utilisateurs comme un tout, et l'invention comprend un procédé de détection de programmes malveillants basé sur le réseau utilisant une machine virtuelle, dont les étapes consistent : (a) à analyser toutes les données de réseau en utilisant l'écriture miroir des paquets ; (b) à bloquer les paquets inutiles en filtrant au moyen d'un moteur de filtrage ; (c) à générer des données statistiques spécifiques à chaque IP d'où les paquets sont émis et reçus ; et (d) à enregistrer, sur une base de données, des fichiers qui ont été collectés à travers un moteur de filtrage, puis à transmettre un fichier suspect à une commande de machine virtuelle, et à faire en sorte que la commande de machine virtuelle transmette le fichier suspect transmis à l'une d'une pluralité de machines virtuelles, qui sont en veille, pour analyse dans une analyseur de la machine virtuelle, et l'invention comprend aussi un système pour le procédé.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR20100078593 | 2010-08-16 | ||
KR10-2010-0078593 | 2010-08-16 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2012023657A1 true WO2012023657A1 (fr) | 2012-02-23 |
Family
ID=45605305
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2010/007133 WO2012023657A1 (fr) | 2010-08-16 | 2010-10-18 | Procédé de détection de programmes malveillants basé sur un réseau utilisant une machine virtuelle et système le comprenant |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2012023657A1 (fr) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2015006110A1 (fr) * | 2013-07-11 | 2015-01-15 | Symantec Corporation | Identification d'un abus d'objets légitimes |
WO2016018852A1 (fr) * | 2014-07-31 | 2016-02-04 | Intuit Inc. | Procédé et système pour corréler des données d'actifs virtuels auto-rapporteurs avec des événements externes pour générer une base de données d'identificateurs d'événements externes |
US20160162685A1 (en) * | 2014-12-08 | 2016-06-09 | Vmware, Inc. | Monitoring application execution in a clone of a virtual computing instance for application whitelisting |
US9742794B2 (en) | 2014-05-27 | 2017-08-22 | Intuit Inc. | Method and apparatus for automating threat model generation and pattern identification |
US9888025B2 (en) | 2014-02-27 | 2018-02-06 | Intuit Inc. | Method and system for providing an efficient asset management and verification service |
US9923909B2 (en) | 2014-02-03 | 2018-03-20 | Intuit Inc. | System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment |
US10102082B2 (en) | 2014-07-31 | 2018-10-16 | Intuit Inc. | Method and system for providing automated self-healing virtual assets |
US10121007B2 (en) | 2014-02-21 | 2018-11-06 | Intuit Inc. | Method and system for providing a robust and efficient virtual asset vulnerability management and verification service |
KR101953824B1 (ko) * | 2017-10-27 | 2019-03-05 | 아토리서치(주) | 소프트웨어 정의 네트워킹을 이용한 네트워크 기능 가상화 장치 및 그 동작 방법 |
US10757133B2 (en) | 2014-02-21 | 2020-08-25 | Intuit Inc. | Method and system for creating and deploying virtual assets |
US11294700B2 (en) | 2014-04-18 | 2022-04-05 | Intuit Inc. | Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100870871B1 (ko) * | 2008-05-29 | 2008-11-27 | (주)한드림넷 | 액세스레벨에서의 유해트래픽 차단장치 및 보안시스템 |
KR20100046523A (ko) * | 2008-10-27 | 2010-05-07 | (주)소만사 | 유해 사이트 차단 장치 및 방법 |
-
2010
- 2010-10-18 WO PCT/KR2010/007133 patent/WO2012023657A1/fr active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100870871B1 (ko) * | 2008-05-29 | 2008-11-27 | (주)한드림넷 | 액세스레벨에서의 유해트래픽 차단장치 및 보안시스템 |
KR20100046523A (ko) * | 2008-10-27 | 2010-05-07 | (주)소만사 | 유해 사이트 차단 장치 및 방법 |
Non-Patent Citations (2)
Title |
---|
CHAN KYOU HWANG ET AL.: "Design of Implementation on real-time Anomaly Traffic Lookup & Analysis System", KNOM REVIEW, vol. 10, no. 1, August 2007 (2007-08-01) * |
JUNG TAEK SEO: "Detecting Scheme of malicious Codes using virtual environments", JOURNAL OF KOREA INSTITUTE OF INFORMATION SECURITY & CRYPTOLOGY, vol. 17, no. 4, August 2007 (2007-08-01) * |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9276947B2 (en) | 2013-07-11 | 2016-03-01 | Symantec Corporation | Identifying misuse of legitimate objects |
US9075989B2 (en) | 2013-07-11 | 2015-07-07 | Symantec Corporation | Identifying misuse of legitimate objects |
WO2015006110A1 (fr) * | 2013-07-11 | 2015-01-15 | Symantec Corporation | Identification d'un abus d'objets légitimes |
US9923909B2 (en) | 2014-02-03 | 2018-03-20 | Intuit Inc. | System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment |
US10360062B2 (en) | 2014-02-03 | 2019-07-23 | Intuit Inc. | System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment |
US10757133B2 (en) | 2014-02-21 | 2020-08-25 | Intuit Inc. | Method and system for creating and deploying virtual assets |
US10121007B2 (en) | 2014-02-21 | 2018-11-06 | Intuit Inc. | Method and system for providing a robust and efficient virtual asset vulnerability management and verification service |
US11411984B2 (en) | 2014-02-21 | 2022-08-09 | Intuit Inc. | Replacing a potentially threatening virtual asset |
US9888025B2 (en) | 2014-02-27 | 2018-02-06 | Intuit Inc. | Method and system for providing an efficient asset management and verification service |
US10055247B2 (en) | 2014-04-18 | 2018-08-21 | Intuit Inc. | Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets |
US11294700B2 (en) | 2014-04-18 | 2022-04-05 | Intuit Inc. | Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets |
US9742794B2 (en) | 2014-05-27 | 2017-08-22 | Intuit Inc. | Method and apparatus for automating threat model generation and pattern identification |
WO2016018852A1 (fr) * | 2014-07-31 | 2016-02-04 | Intuit Inc. | Procédé et système pour corréler des données d'actifs virtuels auto-rapporteurs avec des événements externes pour générer une base de données d'identificateurs d'événements externes |
US9516044B2 (en) | 2014-07-31 | 2016-12-06 | Intuit Inc. | Method and system for correlating self-reporting virtual asset data with external events to generate an external event identification database |
US10102082B2 (en) | 2014-07-31 | 2018-10-16 | Intuit Inc. | Method and system for providing automated self-healing virtual assets |
AU2015296801B2 (en) * | 2014-07-31 | 2020-06-25 | Intuit Inc. | Method and system for correlating self-reporting virtual asset data with external events to generate an external event identification database |
US20160162685A1 (en) * | 2014-12-08 | 2016-06-09 | Vmware, Inc. | Monitoring application execution in a clone of a virtual computing instance for application whitelisting |
US10726119B2 (en) * | 2014-12-08 | 2020-07-28 | Vmware, Inc. | Monitoring application execution in a clone of a virtual computing instance for application whitelisting |
KR101953824B1 (ko) * | 2017-10-27 | 2019-03-05 | 아토리서치(주) | 소프트웨어 정의 네트워킹을 이용한 네트워크 기능 가상화 장치 및 그 동작 방법 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2012023657A1 (fr) | Procédé de détection de programmes malveillants basé sur un réseau utilisant une machine virtuelle et système le comprenant | |
WO2011105659A1 (fr) | Système, procédé, programme, et support d'enregistrement pour la détection et le blocage en temps réel de programmes nuisibles par le biais d'analyse comportementale d'un processus | |
US7197762B2 (en) | Method, computer readable medium, and node for a three-layered intrusion prevention system for detecting network exploits | |
EP1495616B1 (fr) | Detection et neutralisation de code malveillant dans des reseaux d'entreprise | |
US7444679B2 (en) | Network, method and computer readable medium for distributing security updates to select nodes on a network | |
CA2533853C (fr) | Procede et systeme de detection d'une utilisation non autorisee d'un reseau de communications | |
WO2011010823A2 (fr) | Procédé de détection et d'arrêt d'une attaque par déni de service distribué (ddos) via l'informatique dématérialisée, et serveur | |
US7200866B2 (en) | System and method for defending against distributed denial-of-service attack on active network | |
WO2012015171A2 (fr) | Dispositif de commande à sécurité intégrée contre virus de piratage informatique | |
US6895432B2 (en) | IP network system having unauthorized intrusion safeguard function | |
WO2017069348A1 (fr) | Procédé et dispositif permettant de vérifier automatiquement un événement de sécurité | |
WO2018107811A1 (fr) | Procédé et appareil de défense conjointe pour la sécurité d'un réseau, serveur et support de stockage | |
US20030084326A1 (en) | Method, node and computer readable medium for identifying data in a network exploit | |
US20100031093A1 (en) | Internal tracing method for network attack detection | |
JPH09214493A (ja) | ネットワークシステム | |
WO2012108687A2 (fr) | Procédé de détection d'attaques par usurpation arp à l'aide d'un verrouillage arp et support d'enregistrement lisible par ordinateur stockant un programme servant à exécuter le procédé | |
WO2015129934A1 (fr) | Procédé et dispositif de détection de canal de contrôle de commande | |
WO2019231135A1 (fr) | Système de détection d'intrusion et de protection de véhicule | |
WO2017171188A1 (fr) | Dispositif de sécurité utilisant des informations de transaction recueillies à partir d'un serveur d'application web ou d'un serveur web | |
Hegazy et al. | A multi-agent based system for intrusion detection | |
CN113794590B (zh) | 处理网络安全态势感知信息的方法、装置及系统 | |
WO2003021402A2 (fr) | Securite de reseau | |
KR101871406B1 (ko) | 화이트리스트를 이용한 제어시스템의 보안관제 방법 및 이를 위한 시스템 | |
WO2013125867A1 (fr) | Système informatique et système pour la création de règles composées sur la base de fichiers et de comportements | |
Ye et al. | Research on network security protection strategy |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10856199 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 10856199 Country of ref document: EP Kind code of ref document: A1 |