WO2017034072A1 - Système de sécurité de réseau et procédé de sécurité - Google Patents

Système de sécurité de réseau et procédé de sécurité Download PDF

Info

Publication number
WO2017034072A1
WO2017034072A1 PCT/KR2015/011066 KR2015011066W WO2017034072A1 WO 2017034072 A1 WO2017034072 A1 WO 2017034072A1 KR 2015011066 W KR2015011066 W KR 2015011066W WO 2017034072 A1 WO2017034072 A1 WO 2017034072A1
Authority
WO
WIPO (PCT)
Prior art keywords
user terminal
server
security
information
access
Prior art date
Application number
PCT/KR2015/011066
Other languages
English (en)
Korean (ko)
Inventor
전석기
소준영
Original Assignee
주식회사 아이티스테이션
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 아이티스테이션 filed Critical 주식회사 아이티스테이션
Publication of WO2017034072A1 publication Critical patent/WO2017034072A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation

Definitions

  • the present invention relates to a network security system security method, and more particularly, to a network security system and a security method capable of coping with an external unknown hacking risk.
  • Cyber attacks are organized and intelligent, and in particular, advanced persistent threats (APTs), in which hacking organizations are economically targeted, perform stealthy, continuous, and intelligent attacks against specific attack targets. It is rapidly increasing and is a big social problem.
  • APT attacks involve hackers or hacking organizations infiltrating malicious code into the target organization to illegally steal the important information of the organization, and then continuously update the malware to infect the host of important information accessors with malware. This is an attack method that leaks important information.
  • Korean Patent No. 10-0635130 (“Kernel backdoor detection system and method through Windows network monitoring”), a network packet passing through a TDI (Transport Driver Interface) layer and a Network Driver Interface Specification (NDIS) layer among the Windows network components.
  • TDI Transport Driver Interface
  • NDIS Network Driver Interface Specification
  • the kernel backdoors are detected and the network packets generated from these kernel backdoors are filtered.
  • a system and method for detecting a kernel backdoor that can prevent intrusion by a kernel backdoor are disclosed.
  • Korean Patent No. 10-0635130 is a technique limited to preventing intrusion into the kernel backdoor, and a technique for preventing document leakage or hacking through terminals connected to a system server or an internal network is not disclosed.
  • the problem to be solved by the present invention is to recover in case of suspicion of infringement of the system while performing operating system patch, application patch, software distribution and media control for effective defense of the client system which is the primary attack target of APT (Advanced Persistent Threat) It is to provide a network security system and security method that can apply technology to cope with unknown hacking threats.
  • APT Advanced Persistent Threat
  • Another problem to be solved by the present invention is a network security system and security that can protect and monitor the user and administrator client access to the key information or document information to recognize the leakage of key information or document information and eliminate risks To provide a way.
  • the present invention provides a plurality of user terminals using an internal network, a system server for storing a plurality of main information or document information generated in at least one of the plurality of user terminals, and manages the plurality of user terminals.
  • the security server is an important document to be attacked from the external hacking of the plurality of main information or document information
  • a preventive control module for identifying and analyzing risk factors among the important documents to restrict access of the plurality of user terminals from external hacking servers known to control external access; Monitoring the network traffic to access the important document, and stores the log file of the user terminal that generated the network traffic to access the important document, if the abnormal behavior including hacking in the user terminal is monitored the work of the user terminal Detection control module to terminate the; And generating and storing a backup system image when the plurality of user terminals access the system server, and performing a restoration operation through the backup system image when the abnormal behavior is monitored among the plurality of user terminals. It can provide a network security system comprising a.
  • the preventive control module evaluates the importance of the main information or the document information by assigning a score to the confidentiality, integrity and availability of the plurality of main information or document information, and performs information management according to the evaluated importance. It may include an evaluation unit.
  • the preventive control module analyzes and detects a risk factor for a document having high importance among the main information or document information, and performs a safety check on all main information or document information when the risk factor is detected.
  • the analysis unit may further include.
  • the preventive control module may further include a control policy management unit configured to transmit a security notice to the user terminal through the manager terminal, and to feed back whether the security bulletin is read from the user terminal.
  • a control policy management unit configured to transmit a security notice to the user terminal through the manager terminal, and to feed back whether the security bulletin is read from the user terminal.
  • the preventive control module includes a terminal authentication unit for authenticating using at least one authentication element of the user ID and the OTP, the official certificate, the ARS, and the QR code of the user terminal;
  • the user terminal which has been authenticated by the terminal authentication unit, monitors and manages access to an external network through a C & C C & C (Command & Control) server, or accesses the C & C server to the system server through the user terminal.
  • Server management unit The user terminal controls access to a P2P server or a harmful site, and when accessing the important information from the user terminal, access time and port are connected to the user terminal to confirm whether the user is authorized access or unauthorized access.
  • a server access control unit which transmits a predetermined notification message, and transmits a warning message to the manager terminal by determining that an intrusion or hacking is received from an external server when there is no reply to the notification message after sending the notification message;
  • a network traffic analyzer configured to collect network traffic generated from the user terminal and set a path.
  • the calibration control module includes a TCP tagging and recognition unit for tagging a unique ID to network traffic or a network packet generated in the user terminal; A security agent manager for monitoring the installation of the security agent installed in the user terminal and transmitting the security agent to the user terminal in which the security agent is not installed; A user terminal controller which determines that the main information or document information is an external attack when the user terminal does not perform authentication and blocks access to the system server; And a system restoration unit which determines that the user terminal is infected with at least one of the virus, malicious code, and spyware, stores a backup image of the infected user terminal, and restores the backup image to a state before infection.
  • the present invention provides a plurality of user terminals using an internal network, a system server for storing a plurality of main information or document information generated in at least one of the plurality of user terminals, an administrator terminal for managing the plurality of user terminals and the A security method performed in a security server for protecting a user terminal, an administrator terminal, and a system server, the security method comprising: (a) defining a control policy for controlling access to an external network or an unconfigured server from the security server; (b) an authentication step of performing authentication in the user terminal to grant access to the system server for performing a task; (c) monitoring access of a main server, a C & C server, a P2P server, a malicious site, and checking whether the control policy is violated in the security server when the user terminal performs a task; (d) informing the administrator terminal of the control policy violation in the security server; (e) blocking the network of the user terminal in violation of the control policy at the security server; (f) storing a backup image of the user
  • the importance of the critical information or document information is evaluated by assigning a score to the confidentiality, integrity and availability of the plurality of main information or document information stored in the system server, and according to the evaluated importance.
  • the step (b) may be authenticated using at least one authentication element of the user ID and the OTP, public certificate, ARS, QR code of the user terminal.
  • step (h) it may further comprise the step of reflecting the digital forensic results in the control policy.
  • the network security system and security method performs an operating system patch, application patch, software distribution, and media control for effective defense of a client system that is a primary attack target of APT (Advanced Persistent Threat).
  • APT Advanced Persistent Threat
  • recovery techniques can be applied to counter unknown hacking threats.
  • security may be strengthened through two-factor authentication, and information used for authentication may be protected by changing a service channel and a channel for authentication.
  • FIG. 1 is a system diagram schematically showing a network security system according to an embodiment of the present invention.
  • FIG. 2 is a block diagram showing the internal configuration of the security server shown in FIG.
  • FIG. 3 is a block diagram showing the configuration of the preventive control module shown in FIG. 2;
  • FIG. 4 is a block diagram illustrating the detection control module shown in FIG.
  • FIG. 5 is a block diagram illustrating the calibration control module shown in FIG. 2.
  • FIG. 5 is a block diagram illustrating the calibration control module shown in FIG. 2.
  • FIG. 6 is a flowchart illustrating a network security method according to an embodiment of the present invention.
  • the present invention provides a plurality of user terminals using an internal network, a system server for storing a plurality of main information or document information generated in at least one of the plurality of user terminals, an administrator terminal for managing the plurality of user terminals, and the user terminal. And a security server for protecting an administrator terminal and a system server, wherein the security server identifies an important document to be attacked from an external hack among the plurality of main information or document information, and identifies the important document.
  • a preventive control module configured to limit the access of the plurality of user terminals from external hacking servers known to control the external access by analyzing a risk factor among the; Monitoring the network traffic to access the important document, and stores the log file of the user terminal that generated the network traffic to access the important document, if the abnormal behavior including hacking in the user terminal is monitored the work of the user terminal Detection control module to terminate the; And generating and storing a backup system image when the plurality of user terminals access the system server, and performing a restoration operation through the backup system image when the abnormal behavior is monitored among the plurality of user terminals. It can provide a network security system comprising a.
  • first and second are terms used to describe various components, and are not limited in themselves, and are used only to distinguish one component from other components.
  • FIG. 1 is a system diagram schematically showing a network security system according to an embodiment of the present invention.
  • a network security system may include a user terminal 10, an administrator terminal 20, a security server 40, and a system server 30.
  • the user terminal 10 may include a terminal such as a computer, a laptop, a smartphone, and the like used in an enterprise, a school, an institution, and the like.
  • the manager terminal 20 may include a terminal such as a computer, a laptop, a smartphone, or the like, such as the user terminal 10.
  • the system server 30 may be connected to the user terminal 10 through an internal communication network to store a plurality of pieces of main information or document information generated in the user terminal 10.
  • the system server 30 may provide a usage environment of the user terminal 10 to access the system server 30.
  • the security server 40 evaluates the importance of a plurality of pieces of main information or document information and sets access rights according to the importance. For example, the security server 40 assigns scores for confidentiality, integrity, and availability of a plurality of pieces of key information or document information to evaluate the importance of the key information or document information, and the evaluated key information or document information to importance. Accordingly different access rights.
  • the security server 40 analyzes the risk factors to control the access of the main information or document information that has risk factors.
  • the security server 40 controls access to main information or document information of the user terminal 10 according to authority for access control of main information or document information.
  • the security server 40 registers an external server used for hacking in order to protect key information or document information from external external hacking, and in advance, the user terminal 10 accesses an external server that is a main route of hacking. Block or control access to the user terminal 10 from an external server.
  • the security server 40 monitors the network traffic of the user terminal 10.
  • the security server 40 stores a log file of the user terminal 10, and terminates the work of the user terminal when abnormal behavior including hacking through the user terminal 10 is monitored, or the user terminal 10 Log off).
  • the security server 40 may generate and store a backup image of the user terminal 10, restore the backup image, and provide the backup image to the user terminal 10.
  • the security server 40 may update the risk factors for risks such as a hacking server connected through the user terminal 10 before the backup image restoration and notify the user terminal 10.
  • the description of the security server 40 will be described in detail later with reference to FIGS. 2 to 5.
  • FIG. 2 is a block diagram showing an internal configuration of the security server shown in FIG. 1
  • FIG. 3 is a block diagram showing a configuration of the preventive control module shown in FIG. 2
  • FIG. 4 is a detection control shown in FIG. A block diagram illustrating the module
  • FIG. 5 is a block diagram illustrating the calibration control module shown in FIG. 2.
  • the security server 40 may include a preventive control module 100, a detection control module 200, and a calibration control module 300.
  • the preventive control module 100 may include an information asset evaluation unit 110, a risk analysis unit 120, and a control policy management unit 130.
  • the information asset evaluation unit 110 evaluates the importance of the plurality of pieces of main information or document information.
  • the information asset evaluation unit 110 evaluates the importance of the main information or the document information by assigning a score to the confidentiality, integrity, and availability of the plurality of pieces of the main information or the document information according to preset criteria.
  • the information asset evaluation unit 110 may store the main information or the document information stored in the system server 30 in the upper, middle, lower or A, B, C, ... or 1, 2, 3, Set the rating with ...
  • confidentiality is set high, and documents, such as general work documents, are set relatively low.
  • the information asset evaluation unit 110 evaluates whether or not there is a defect with respect to the document of which confidentiality evaluation is completed. Whether or not the document is defective is set as a confidentiality evaluation through the virus or malicious code infection, whether the document is finished, whether it is encrypted or not. In addition, the information asset evaluation unit 110 sets a rating, such as a confidentiality evaluation, regarding the availability of the main information or the document information.
  • the information asset evaluation unit 110 sets a rating by combining confidentiality, integrity, and availability.
  • the information asset evaluation unit 110 distinguishes key information or document information having a high comprehensive grade from key information or document information having a low comprehensive grade.
  • the information asset evaluation unit 110 may change the access authority when the user terminal 10 or the manager terminal 20 accesses according to the grade when the grade of the main information or the document information is determined. For example, when the level of the main information or the document information is high, the user terminal 10 may not be accessible, and only the manager terminal 20 may be accessible. In addition, when the grade of the main information or document information is lowered, the user terminal 10 may be accessible.
  • the risk analysis unit 120 analyzes a vulnerability of a network or a vulnerability of main information or document information.
  • the risk analysis unit 120 analyzes a potential risk factor of key information or document information using a vulnerability analysis tool, and if a new vulnerability is found, the risk analysis unit 120 performs a security check on a new vulnerability to detect a new vulnerability. Provide information.
  • the risk analysis unit 120 stores a history related to vulnerability inspection and vulnerability discovery information of potential risk factors, and may provide such a history to the manager terminal 20.
  • the risk analysis unit 120 may provide a graph, a figure, a numerical value, or the like to visually recognize the vulnerability information or the history provided to the manager terminal 20.
  • the control policy manager 130 controls the user terminal 10 or the administrator terminal 20 to access an unauthorized web server in order to control access to main information or document information. To this end, the control policy management unit 130 presets URL information of an accessible web server or a blocked web server. The control policy manager 130 may notify the user terminal 10 or the administrator terminal 20 to block access when the URL of the web server is blocked.
  • control policy management unit 130 may force the security notification to the user terminal (10). For example, when the control policy management unit 130 transmits the security notification in the form of a web page from the manager terminal 20 to the user terminal 10, the control policy manager 130 blocks the connected web page of the user terminal 10, and the security notification web. Can direct access to a page.
  • the control policy manager 130 controls the security notice sent to the user terminal 10 to determine whether the security notice sent from the manager terminal 20 is confirmed by the user terminal 10. Feedback to 130 may be made.
  • the preventive control module 100 may include a terminal authenticator 210, a server manager 220, a server access controller 230, and a network traffic analyzer 240.
  • the terminal authenticator 210 may perform access authentication of the system server 30 for the task of the user terminal 10 or the manager terminal 20.
  • the terminal authentication unit 210 may use a two factor authentication method that can authenticate using two or more authentication elements. For example, the terminal authentication unit 210 performs the first authentication when the ID (ID) and the password (Password) input in the user terminal 10 or the administrator terminal 20, and after the first authentication is completed, OTP, Secondary authentication is performed using a method such as an accredited certificate, ARS or QR code. Through this, the access security of the terminal can be strengthened.
  • the terminal authenticator 210 performs authentication through a separate channel, and the authentication channel does not use another service. In this way, the user terminal 10 or the manager terminal 20 can fundamentally block the risk of the attacker's account takeover during authentication.
  • the system server 30 may be notified to access the system server 30 from the user terminal 10 or the manager terminal 20.
  • the server manager 220 manages an IP list of a Command & Control (C & C) server that serves as a host of an advanced persistent threat (APT), and collects and analyzes related information.
  • the server manager 220 periodically updates the list of new C & C servers provided as RSS services to access the user terminal 10 or the manager terminal 20 through the C & C server, or the user terminal 10 or the C & C server.
  • the manager terminal 20 can manage access to the system server 30.
  • the server access control unit 230 may control the user terminal 10 or the administrator terminal 20 to access the P2P server or harmful site.
  • the server access control unit 230 may control the access of the harmful site by using a preset P2P server or URL information of the harmful site. At this time, the server access control unit 230 controls the access of P2P server or harmful sites other than C & C server access.
  • the server access control unit 230 accesses the main information or document information in the terminals, the server access control unit 230 transmits a notification message to determine the access time and port to the terminals in order to check whether the authorized access or unauthorized access.
  • the server access control unit 230 transmits a warning message using a phone number, a messenger, an e-mail, etc. set in the administrator terminal 20 by determining that an intrusion of an external server is not received after a notification is sent. .
  • the server access control unit 230 detects this when the user terminal 10 accesses the main information or document information and notifies the manager terminal 20.
  • the network traffic analyzer 240 collects all network traffic generated by the user terminal 10 and stores a path. In this case, the network traffic analyzer 240 monitors the port, service active state, and main window log for accurate analysis of the corresponding user terminal 10 when the access of the main information or document information which is not authorized in the user terminal 10 is monitored. Etc. can be collected.
  • the network traffic analyzer 240 may not perform packet monitoring on a site or server that is registered in advance using a pre-matching URL and IP.
  • the network traffic analyzer 240 may monitor the secret packet transmitted through the encrypted communication in order to detect the IP-based C & C server.
  • the calibration control module 300 may include a TCP packet tagging and recognition unit 310, a security agent manager 320, a central document manager 330, a user terminal controller 340, and a system restorer 350.
  • the TCP packet tagging and recognition unit 310 may tag a unique ID to all TCP packets generated in the user terminal 10 in order to distinguish the network packet generated in the user terminal 10 using the router of the internal network. have. Through this, the TCP packet tagging and recognizing unit 310 may distinguish the TCP packet so that the network traffic collected by the network traffic analyzer 240 may be easily analyzed.
  • the security agent manager 320 monitors the installation of a security agent (for example, a security program or an antivirus program) installed in the user terminal 10, and installs the security agent in the user terminal 10 on which the security agent is not installed.
  • the security agent may be transmitted to the user terminal 10 to install.
  • the security agent manager 320 proceeds to update the latest version to the security agent installed in the user terminal 10.
  • the central document manager 330 uses a file system driver to store a document worked on the user terminal 10 in the system server 30.
  • the file system driver may be a document preparation standard file system of the user terminal 10.
  • the user terminal control unit 340 determines that the external attack, and the network of the user terminal 10 as a communication and a main medium (system server, etc.). You can block access.
  • the user terminal controller 340 approaches the user terminal 10 and forcibly terminates execution of a process or a program classified as a threat, such as malware, spyware, a virus, a spy bot, or executes the processor. Can be prevented.
  • the user terminal controller 340 generates and transmits a one-time password to allow access to the system server 30 to the user terminal 10 where the risk factor is not found, and transmits the password to the system server 30 when the password is input. Grant access
  • the system restorer 350 stores a backup image of the corresponding user terminal.
  • the system restorer 350 restores the user terminal 10 to a virus, malware, spyware, spy bot, etc. state before infection.
  • the system restoration unit 350 may perform the digital forensics, and notify the control policy management unit 130 of the forensic results.
  • FIG. 6 is a flowchart illustrating a network security method according to an embodiment of the present invention.
  • a control policy is defined in a preventive control module of a security server (S150), an authentication of a user terminal (S220), and a task of a user terminal.
  • defining the control policy (S150) is a step performed in the preventive control module 100. Prior to the step of defining the control policy (S150), the information asset business impact evaluation step (S110), identifying a critical asset (S120), risk analysis step (S130) and vulnerability analysis step (S140) is preceded.
  • the information asset business impact evaluation step (S110) and the step of identifying the important asset (S120) evaluate the importance of the important information or document information stored in the system server 30 according to the set criteria, and identify the important asset according to the importance .
  • the importance of the main information or document information evaluates the confidentiality, integrity, and availability of the main information or document information in the information asset evaluation unit 110. At this time, the high-level main information or document information is classified as an important asset.
  • the risk analysis step (S130) and vulnerability analysis step (S140) analyzes the vulnerability of the internal network or the vulnerability of the main information or document information in the preventive control module (100).
  • a vulnerability analysis tool or program is used to analyze potential risks of key information or document information. If a risk factor of main information or document information is found in the risk analysis step (S130), a safety check is performed, and the manager terminal 20 is notified of this.
  • Defining a control policy defines a URL of an accessible server and a URL of an access prohibited server in order to control access of main information or document information. Through this, when accessing the URL of the server forbidden access from the user terminal or the administrator terminal, it can be blocked, and the work performed in the user terminal 10 or the administrator terminal 20 can be terminated.
  • defining the control policy may include forcing the security notification to the user terminal 10.
  • the preventive control module 100 induces the security notification to be transmitted to the user terminal 10 through the manager terminal 20, and the user terminal 10 receiving the security notification blocks the connected webpage, It can be connected to the announcement web page.
  • two-factor (2factor) authentication is performed in advance.
  • the two-factor authentication performs the first authentication through the user ID and password as described above, and performs the second authentication using additional authentication means (for example, OTP, public certificate, ARS, QR code, etc.). do.
  • the user terminal 10 may not access the system server 30 or may terminate the user terminal 10 (S225).
  • the user terminal 10 may store main information or document information generated after the work in the system server (S230 and S235). In addition, the user terminal 10 may receive a major security bulletin notification received from the manager terminal 20 (S240). The manager terminal 20 or the system server 30 may store a confirmation log corresponding thereto. The user terminal 10 receives a security agent from the user terminal controller 340 and performs a security check inside the user terminal 10 (S250). At this time, the security agent is periodically updated. Thereafter, the result log of the security check may be stored in the system server 30 or the security server 40 (S255). After the security check, the user terminal 10 may continue to perform the task (S260).
  • the detection control module 200 monitors the abnormal behavior from the user terminal 10 during the performance of the user terminal 10 (S270). In this case, when abnormal behavior is not detected in the user terminal 10, the work is normally performed, and the work ends after the work is performed. Here, after the end of the work, the calibration control module 300 checks whether the security patch transmitted to the user terminal 10 (S350). If there is no need for a security patch as a result of the security patch check, the window of the user terminal 10 may be finally terminated. If a security patch is required, the image of the user terminal 10 is stored. Subsequently, the security patch is installed on the user terminal 10 (S370), and a log file of installation information is stored. Subsequently, after storing the system image of the user terminal 10 (S375), the system image is restored (S360).
  • the main server access is checked (S275).
  • the information on the main server may be URLs or IP addresses of preset servers.
  • the detection control module 200 transmits a user confirmation notification message to the corresponding user terminal when the main server access is confirmed as a result of the main server access check (S280).
  • the user terminal 10 requests the authentication (S300).
  • the two-factor authentication described above may be performed for authentication with the user terminal 10.
  • the user terminal 10 and the security server 40 may perform authentication through a dedicated channel for authentication. When the authentication is completed, to continue the work performance (S260).
  • the detection control module 200 determines whether the main server access is not checked whether the C & C server access (S290). In addition, after checking the access to the C & C server, if not the access to the C & C server, and checks the P2P server access (S295). If it is determined that the P2P server is not accessed, the access to the harmful site is checked (S299). If it is determined that the access to the C & C server or P2P server or harmful site is determined above, it is determined whether the policy is violated (S297). In this case, if the detection control module 200 determines that the policy violation of the user terminal 10 is notified to the manager terminal 20 and stores a log file (S310).
  • the system image of the user terminal 100 is stored for forensics (S330).
  • the final system full image of the user terminal is stored for the digital forensics of the user terminal 10.
  • the security server described above may be combined with a system server and may be an OS or a program operating in the system server.
  • the terminal authentication unit has been described, for example, included in the detection control module, but is not limited thereto, and may be included in a calibration control module or a system server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Technology Law (AREA)
  • Computer And Data Communications (AREA)

Abstract

La présente invention se rapporte à un système de sécurité de réseau et peut fournir un système de sécurité de réseau comprenant : une pluralité de terminaux d'utilisateur utilisant un intra-réseau; un serveur de système destiné à stocker une pluralité d'éléments d'informations principales ou d'informations de document générées par au moins un terminal d'utilisateur de la pluralité de terminaux d'utilisateur; un terminal de gestionnaire destiné à gérer la pluralité de terminaux d'utilisateur; et un serveur de sécurité destiné à protéger les terminaux d'utilisateur, le terminal de gestionnaire et le serveur de système.
PCT/KR2015/011066 2015-08-25 2015-10-20 Système de sécurité de réseau et procédé de sécurité WO2017034072A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020150119696A KR101744631B1 (ko) 2015-08-25 2015-08-25 네트워크 보안 시스템 및 보안 방법
KR10-2015-0119696 2015-08-25

Publications (1)

Publication Number Publication Date
WO2017034072A1 true WO2017034072A1 (fr) 2017-03-02

Family

ID=58100642

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2015/011066 WO2017034072A1 (fr) 2015-08-25 2015-10-20 Système de sécurité de réseau et procédé de sécurité

Country Status (2)

Country Link
KR (1) KR101744631B1 (fr)
WO (1) WO2017034072A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112217770A (zh) * 2019-07-11 2021-01-12 奇安信科技集团股份有限公司 一种安全检测方法、装置、计算机设备及存储介质
CN115021999A (zh) * 2022-05-27 2022-09-06 武汉云月玲智科技有限公司 一种基于大数据管理的网络信息安全监控系统及方法

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101989581B1 (ko) * 2017-07-24 2019-06-14 한국전자통신연구원 내부망 전달용 파일 검증 장치 및 방법
KR102199054B1 (ko) 2017-08-10 2021-01-07 한국전자통신연구원 직렬 포트 기반 사이버 보안 취약점 점검 장치 및 그 방법
KR102196970B1 (ko) 2017-12-06 2020-12-31 한국전자통신연구원 콘솔 접속을 통한 보안 취약점 점검 장치 및 그 방법
KR101983997B1 (ko) * 2018-01-23 2019-05-30 충남대학교산학협력단 악성코드 검출시스템 및 검출방법
KR101986738B1 (ko) * 2018-11-28 2019-06-07 (주)시큐레이어 네트워크 관제 서비스를 위한 정보의 시각화를 제공하는 방법 및 이를 이용한 장치
KR102559568B1 (ko) * 2019-03-11 2023-07-26 한국전자통신연구원 사물인터넷 인프라 환경에서의 보안통제 장치 및 방법
KR102611045B1 (ko) 2021-11-18 2023-12-07 (주)디에스멘토링 다중 신뢰도 기반 접근통제 시스템
KR102623681B1 (ko) * 2022-02-21 2024-01-11 주식회사 리니어리티 네트워크 통신 로그 분석을 통한 악성코드 감염 탐지 시스템 및 방법
KR102678389B1 (ko) * 2022-05-13 2024-06-25 (주)플레인비트 포렌식 분석 기반 사이버 침해사고 분석 시스템 및 방법

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040065674A (ko) * 2003-01-15 2004-07-23 권창훈 통합형 호스트 기반의 보안 시스템 및 방법
KR20060058296A (ko) * 2004-11-25 2006-05-30 주식회사 코어그리드테크놀로지 시스템/데이터의 자동 백업 및 복구 통합 운영 방법
KR20070105199A (ko) * 2006-04-25 2007-10-30 엘지엔시스(주) 네트워크 보안 장치 및 그를 이용한 패킷 데이터 처리방법
KR20090094922A (ko) * 2008-03-04 2009-09-09 주식회사 조은시큐리티 경량화된 홈네트워크 침입탐지 및 차단 시스템 및 그 방법
WO2014100103A1 (fr) * 2012-12-18 2014-06-26 Mcafee, Inc. Évaluation de criticité d'actif automatique

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040065674A (ko) * 2003-01-15 2004-07-23 권창훈 통합형 호스트 기반의 보안 시스템 및 방법
KR20060058296A (ko) * 2004-11-25 2006-05-30 주식회사 코어그리드테크놀로지 시스템/데이터의 자동 백업 및 복구 통합 운영 방법
KR20070105199A (ko) * 2006-04-25 2007-10-30 엘지엔시스(주) 네트워크 보안 장치 및 그를 이용한 패킷 데이터 처리방법
KR20090094922A (ko) * 2008-03-04 2009-09-09 주식회사 조은시큐리티 경량화된 홈네트워크 침입탐지 및 차단 시스템 및 그 방법
WO2014100103A1 (fr) * 2012-12-18 2014-06-26 Mcafee, Inc. Évaluation de criticité d'actif automatique

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112217770A (zh) * 2019-07-11 2021-01-12 奇安信科技集团股份有限公司 一种安全检测方法、装置、计算机设备及存储介质
CN112217770B (zh) * 2019-07-11 2023-10-13 奇安信科技集团股份有限公司 一种安全检测方法、装置、计算机设备及存储介质
CN115021999A (zh) * 2022-05-27 2022-09-06 武汉云月玲智科技有限公司 一种基于大数据管理的网络信息安全监控系统及方法

Also Published As

Publication number Publication date
KR101744631B1 (ko) 2017-06-20
KR20170024428A (ko) 2017-03-07

Similar Documents

Publication Publication Date Title
WO2017034072A1 (fr) Système de sécurité de réseau et procédé de sécurité
CN105409164B (zh) 通过使用硬件资源来检测网络业务中的矛盾的根套件检测
EP3225010B1 (fr) Systèmes et procédés permettant d'assurer la précision de détection de code malveillant
US7653941B2 (en) System and method for detecting an infective element in a network environment
US20060026683A1 (en) Intrusion protection system and method
WO2017069348A1 (fr) Procédé et dispositif permettant de vérifier automatiquement un événement de sécurité
WO2013048111A2 (fr) Procédé et appareil de détection d'une intrusion dans un service informatique en nuage
CN113660224B (zh) 基于网络漏洞扫描的态势感知防御方法、装置及系统
US10142343B2 (en) Unauthorized access detecting system and unauthorized access detecting method
KR20120010562A (ko) 해커 바이러스 보안통합관리기기
KR100788256B1 (ko) 네트워크를 이용한 웹서버 위변조 모니터링 시스템 및모니터링 방법
WO2021112494A1 (fr) Système et procédé de détection et de réponse de type gestion basée sur des points d'extrémité
CN113411295A (zh) 基于角色的访问控制态势感知防御方法及系统
CN113411297A (zh) 基于属性访问控制的态势感知防御方法及系统
CN113660222A (zh) 基于强制访问控制的态势感知防御方法及系统
KR101006372B1 (ko) 유해 트래픽 격리 시스템 및 방법
CN110086812B (zh) 一种安全可控的内网安全巡警系统及方法
KR101614809B1 (ko) 엔드포인트 응용프로그램 실행 제어 시스템 및 그 제어 방법
KR20070061287A (ko) 정보거부공격에 대비한 사용자의 신용정보 및 지적재산보호를 위한 장치 및 그 보호 방법
KR20100067383A (ko) 서버 보안 시스템 및 서버 보안 방법
CN113824678A (zh) 处理信息安全事件以检测网络攻击的系统和方法
Choi IoT (Internet of Things) based Solution Trend Identification and Analysis Research
WO2018079867A1 (fr) Procédé de restauration utilisant un système de restauration de réseau dans un environnement de menace persistante avancée
Wang Design and research on the test of internal network penetration test
Ruha Cybersecurity of computer networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15902344

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15902344

Country of ref document: EP

Kind code of ref document: A1