WO2021187782A1 - Procédé de détection de trafic malveillant et dispositif associé - Google Patents

Procédé de détection de trafic malveillant et dispositif associé Download PDF

Info

Publication number
WO2021187782A1
WO2021187782A1 PCT/KR2021/002792 KR2021002792W WO2021187782A1 WO 2021187782 A1 WO2021187782 A1 WO 2021187782A1 KR 2021002792 W KR2021002792 W KR 2021002792W WO 2021187782 A1 WO2021187782 A1 WO 2021187782A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
party
certificate
certification authority
malicious traffic
Prior art date
Application number
PCT/KR2021/002792
Other languages
English (en)
Korean (ko)
Inventor
양철웅
양우석
이윤석
Original Assignee
(주)수산아이앤티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)수산아이앤티 filed Critical (주)수산아이앤티
Publication of WO2021187782A1 publication Critical patent/WO2021187782A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Definitions

  • An embodiment of the present invention relates to a method and an apparatus for detecting malicious traffic caused by a malicious code.
  • an example of a method for detecting malicious traffic includes: receiving a server certificate transmitted by the server in a handshake process for a secure connection between a server and a client; determining whether the server certificate is digitally signed by a third party other than the server by comparing the issuer field and the owner field of the server certificate; verifying whether the digital signature is by the third party by verifying the digital signature based on the public key of the third party; and classifying traffic generated by malicious code when the third party or the third party's higher-level certification authority is not a predefined trusted authority.
  • an example of an apparatus for detecting malicious traffic is a certificate receiving unit that receives a server certificate transmitted by the server in a handshake process for a secure connection between a server and a client ;
  • a certificate receiving unit that receives a server certificate transmitted by the server in a handshake process for a secure connection between a server and a client ;
  • the issuer field and the owner field of the server certificate it is determined whether the server certificate is digitally signed by a third party other than the server, and the third party by verifying the digital signature based on the public key of the third party a digital signature verification unit that verifies whether it is a digital signature by a certification authority verification unit configured to determine whether the third party or at least one higher level certification authority existing in an upper layer of the third party is a predefined trusted authority; and a malicious code detection unit that classifies traffic generated by malicious code when the third party or higher certification authority is not a predefined trusted authority.
  • malicious traffic can be detected without a process of decrypting packets exchanged in a secure connection between a client and a server.
  • FIG. 1 is a diagram illustrating an example of a schematic structure of an entire system to which a malicious traffic detection method according to an embodiment of the present invention is applied;
  • FIG. 2 is a view showing an example of an Internet security connection method to which an embodiment of the present invention is applied;
  • FIG. 3 is a diagram illustrating an example of a hierarchical certification authority according to an embodiment of the present invention.
  • FIG. 4 is a flowchart illustrating an example of a method for detecting malicious traffic using a server certificate according to an embodiment of the present invention
  • FIG. 5 is a view showing an example of a fingerprint (finger print) according to an embodiment of the present invention.
  • FIG. 7 is a flowchart illustrating another embodiment of a method for detecting malicious traffic according to an embodiment of the present invention.
  • FIG. 8 is a diagram illustrating an example of the configuration of a detection apparatus according to an embodiment of the present invention.
  • FIG. 1 is a diagram illustrating an example of a schematic structure of an entire system to which a malicious traffic detection method according to an embodiment of the present invention is applied.
  • the client 110 and the server 120 are connected through the Internet 130 , and the detection device 100 mirrors the packets transmitted and received between the client 110 and the server 120 , the mirroring device 140 .
  • the detection device 100 may exist at the location of the mirroring device 140 without the mirroring device 140 .
  • the detection apparatus 100 may be implemented in various forms according to embodiments, such as at least one or more physical servers or cloud systems.
  • the detection device 100 may be implemented as a part of a firewall or a part of existing security equipment.
  • FIG. 2 is a diagram illustrating an example of an Internet security connection method to which an embodiment of the present invention is applied.
  • the server 130 receives a server certificate from the certification authority 150 ( S200 , S210 ).
  • the certification authority 150 is a server that issues a digitally signed certificate, and may have a hierarchical structure as shown in FIG. 3 according to an embodiment.
  • the highest level certification authority may grant an authentication task to a plurality of next higher level certification authorities, and the second higher level certification authority may again grant the certification task to the next higher level certification authority.
  • the server 120 may request authentication from a certification authority located at the bottom to receive an electronically written server certificate.
  • the server certificate is signed with the private key of the certification authority 150 , and the public key of the certification authority 150 is made public. Therefore, the server certificate can be verified by decrypting the server certificate using the public key.
  • X.509 may be used as an example of the server certificate.
  • the server 120 When the client 110 accesses the server 120 (S220), the server 120 provides a server certificate to the client 110 (S230).
  • the client 110 receiving the server certificate performs a handshake process for a secure connection (S250). Since the handshake process is defined in standards such as TLS (Transport Layer Security), a description thereof will be omitted.
  • TLS Transport Layer Security
  • FIG. 3 is a diagram illustrating an example of a hierarchical certification authority according to an embodiment of the present invention.
  • the highest level certification authority 300 and at least one next higher level certification authority 310 and 312 exist below it, and at least one second level certification authority 320 and 322 exists under the second level certification authority 310 and 312 again. do.
  • two or more top level certification authorities 300 may exist.
  • the top-level certification authority 300 is predefined as a trusted authority. In this embodiment, three layers are shown for better understanding, but the number of layers may vary depending on the embodiment.
  • the second-level certification authorities 310 and 312 have certificates signed by the highest-level certification authority 300, and the next-level certification authorities 320 and 322 have certificates signed by the second-level certification authorities 310 and 312.
  • the server has the next-level certification authorities 320 and 322 ) is issued a signed server certificate, so that the server certificate received by the server is digitally signed in a chain from the next higher level certification authority (320, 322) to the highest level certification authority (300).
  • a normal server uses a server certificate signed by a certification authority, but a C&C server that causes malicious traffic does not receive a normal server certificate from the certification authority. Therefore, this embodiment proposes a method for detecting malicious traffic based on whether the server certificate is a certificate normally issued by a certification authority, and an example of this is shown in FIG. 4 .
  • FIG. 4 is a flowchart illustrating an example of a method for detecting malicious traffic using a server certificate according to an embodiment of the present invention.
  • the detection apparatus 100 receives a server certificate transmitted by the server to the client in a secure connection process between the client and the server ( S400 ).
  • the detection device 100 may receive a server certificate through a mirroring device.
  • the server certificate is transmitted in unencrypted plaintext form. If the server certificate is encrypted, an additional process of decrypting it can be added.
  • the detection device 100 determines whether the digital signature is an electronic signature by a third party other than the server that transmitted the server certificate (S420). For example, a C&C server may use a self-signed certificate to appear as a legitimate server certificate. The detection apparatus 100 may compare an issue field and a subject field of the server certificate to determine whether the digital signature of the server certificate is by a third party rather than the server itself. If the issuer field and the owner field are the same, the server certificate is a certificate signed by the server itself.
  • the C&C server can make the issuer field and owner field of the server certificate different, so that the server certificate can be faked as if it was issued normally.
  • the detection device 100 verifies the server certificate with the public key of the certificate authority described as the issuer in the server certificate, and can determine whether the certificate authority described in the server certificate actually signed (S420). For example, the server certificate states that it is signed by "verisign", but if the digital signature value is verified with the public key of "verisign", the value may not be correct.
  • the C&C server may use a server certificate actually signed by a third party.
  • the third party listed in the server certificate actually signed it, validating the digital signature value with the third party's public key gives the correct value.
  • the third party may not be a trusted certification authority. Accordingly, the detection device 100 determines whether the third party who signed the digital signature is a trusted institution (S430). For example, in the case of having a hierarchical certification authority structure as shown in FIG.
  • the detection device 100 identifies and verifies the certification authorities 320 and 322 of the lowest layer that signed the server certificate, and if the verification is successful, the higher level certification authority The next higher level certification authority 310 and 312 existing in the In this way, if verification is successful up to the highest certification authority 300, it is determined whether the top certification authority 300 belongs to a predefined trusted authority.
  • the detection device 100 does not normally reach the highest certification authority 300 (that is, when verification fails in the middle of the chain of the highest certification authority from the lowest certification authority), or the top certification authority 300 is a predefined trusted authority. If not, the traffic between the server and the client is classified as malicious traffic (S440).
  • FIG. 5 is a diagram illustrating an example of a fingerprint according to an embodiment of the present invention.
  • parameters included in packets exchanged between a client and a server during a handshake process for a secure Internet connection are determined for each communication software.
  • the parameter values included in the packet of the handshake process are the same every time. However, if the type of server the client connects to is changed, the parameter value also changes.
  • 'Client Hello' packet 500 of the TLS handshake process For example, among the parameters included in the 'Client Hello' packet 500 of the TLS handshake process, several parameter values of 'version' 510, 'cipher suites' 520, and 'extension' (530,540,550) are It depends on which server you are talking to. Accordingly, by combining at least one or more values of parameters included in the 'client hello' packet 500, a fingerprint capable of specifying the type of server with which the client communicates can be created.
  • this embodiment exemplifies the 'client hello' packet 500, it is possible to create a fingerprint that can specify the server type based on parameters included in the packet transmitted by the server to the client.
  • FIG. 6 is a flowchart illustrating an example of a method for detecting malicious traffic using a fingerprint according to an embodiment of the present invention.
  • the detection apparatus 100 receives a packet exchanged between a client and a server in a handshake process for a secure connection ( S600 ).
  • the detection apparatus 100 generates a fingerprint by using the parameters included in the packet (S610).
  • the type of packet used to generate the fingerprint and the parameter type of the corresponding packet are predefined.
  • the detection apparatus 100 determines whether the fingerprint exists in a predefined fingerprint list (S620).
  • the fingerprint list is a list in which a fingerprint of a packet that appears when communicating with a server causing malicious traffic is predefined.
  • the fingerprint list is predefined by the user.
  • list details may be added, updated, or deleted by the user.
  • the detection apparatus 100 classifies the traffic between the client and the server as malicious traffic ( S630 ).
  • FIG. 7 is a flowchart illustrating another embodiment of a method for detecting malicious traffic according to an embodiment of the present invention.
  • the detection apparatus 100 may use a plurality of malicious traffic detection methods.
  • the detection apparatus 100 receives a packet between the client and the server to determine the IP address of the server (S700). If the server's IP address exists in the list of C&C servers that cause malicious code (ie, C&C list) (S710), the detection apparatus 100 classifies it as malicious traffic (S740).
  • the detection apparatus 100 checks using the malicious traffic detection method using the salpin fingerprint in FIG. 6 (S720). In another embodiment, when malicious traffic is detected, the detection apparatus 100 may add the IP address of the server to the C&C list.
  • the detection apparatus 100 performs the inspection using the malicious traffic detection method using the salpin server certificate in FIG. 4 ( S730 ).
  • the detection apparatus 100 may reflect the IP address of the server in the C&C list and reflect the fingerprint in the fingerprint list.
  • FIG. 8 is a diagram illustrating an example of the configuration of a detection apparatus according to an embodiment of the present invention.
  • the detection device 100 includes a certificate receiving unit 800 , a digital signature identifying unit 810 , a certification authority identifying unit 820 , a malicious code detecting unit 830 , an IP verifying unit 840 , and a finger. It includes a print verification unit 850 . According to an embodiment, all or part of the IP verification unit 840 and the fingerprint verification unit 850 may be omitted.
  • the certificate receiving unit 800 receives a server certificate transmitted by the server during a secure connection process between the client and the server.
  • the digital signature identifying unit 810 determines whether the server certificate is digitally signed by the server itself, and if the server certificate is digitally signed by a third party rather than the server itself, the third party actually signs the signature using the third party's public key. verify that it is correct
  • the certification authority identification unit 820 identifies the highest level certification authority through the process of sequentially identifying and verifying the third party and the third party's upper level certification authority, and In other words, it is checked whether the top-level certification authority is a predefined trusted authority.
  • the malicious code detection unit 830 classifies the traffic as malicious traffic if the digital signature value is not sequentially verified up to the top certification authority or the top certification authority is not a predefined trusted authority.
  • the IP verification unit 840 determines whether the server IP address exists in a predefined C&C list. If the server IP address exists in the C&C list, the IP verification unit 840 classifies it as malicious traffic.
  • the fingerprint verification unit 850 generates a fingerprint based on the parameter values of packets exchanged in the handshake process for a secure connection between the server and the client, and determines whether the fingerprint exists in a predefined fingerprint list. do. If the fingerprint exists in the fingerprint list, the fingerprint verification unit 850 classifies the traffic between the server and the client as malicious traffic.
  • the present invention can also be embodied as computer readable program code on a computer readable recording medium.
  • the computer-readable recording medium includes all kinds of recording devices in which data readable by a computer system is stored. Examples of the computer-readable recording medium include ROM, RAM, CD-ROM, magnetic tape, floppy disk, and optical data storage device.
  • the computer-readable recording medium is distributed in a network-connected computer system so that the computer-readable code can be stored and executed in a distributed manner.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Un procédé de détection de trafic malveillant et un dispositif associé sont divulgués. Si un certificat de serveur transmis par un serveur lors de l'établissement d'une liaison aux fins de la connexion de sécurité entre le serveur et un client est reçu, un dispositif de détection compare un champ d'émetteur avec un champ de propriétaire du certificat de serveur de façon à identifier si le certificat de serveur a été signé électroniquement par une tierce partie, vérifie la signature électronique sur la base d'une clé publique de la tierce partie, et, si la tierce partie ou une autorité de certification supérieure de la tierce partie n'est pas une partie de confiance prédéfinie, classifie la signature électronique en tant que trafic à partir duquel un code malveillant est généré.
PCT/KR2021/002792 2020-03-18 2021-03-08 Procédé de détection de trafic malveillant et dispositif associé WO2021187782A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2020-0033312 2020-03-18
KR1020200033312A KR102336605B1 (ko) 2020-03-18 2020-03-18 악성 트래픽 검출 방법 및 그 장치

Publications (1)

Publication Number Publication Date
WO2021187782A1 true WO2021187782A1 (fr) 2021-09-23

Family

ID=77769473

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2021/002792 WO2021187782A1 (fr) 2020-03-18 2021-03-08 Procédé de détection de trafic malveillant et dispositif associé

Country Status (2)

Country Link
KR (1) KR102336605B1 (fr)
WO (1) WO2021187782A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113938314A (zh) * 2021-11-17 2022-01-14 北京天融信网络安全技术有限公司 一种加密流量的检测方法及装置、存储介质
CN114928452A (zh) * 2022-05-17 2022-08-19 壹沓科技(上海)有限公司 访问请求验证方法、装置、存储介质及服务器
CN115941361A (zh) * 2023-02-16 2023-04-07 科来网络技术股份有限公司 恶意流量识别方法、装置及设备

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20090054774A (ko) * 2007-11-27 2009-06-01 한국정보보호진흥원 분산 네트워크 환경에서의 통합 보안 관리 방법
KR20110087826A (ko) * 2010-01-27 2011-08-03 한남대학교 산학협력단 가상머신을 이용한 악성소프트웨어 탐지 방법
KR20120136954A (ko) * 2011-06-10 2012-12-20 한국전자통신연구원 인증서 검증 시스템 및 그 방법
KR20170125495A (ko) * 2016-05-04 2017-11-15 주식회사 수산아이앤티 암호화 통신 세션 처리 방법 및 장치
KR20180041840A (ko) * 2016-10-17 2018-04-25 권오준 암호화 통신 시스템 및 방법, 이를 위한 가드 시스템 및 사용자 단말기

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20090054774A (ko) * 2007-11-27 2009-06-01 한국정보보호진흥원 분산 네트워크 환경에서의 통합 보안 관리 방법
KR20110087826A (ko) * 2010-01-27 2011-08-03 한남대학교 산학협력단 가상머신을 이용한 악성소프트웨어 탐지 방법
KR20120136954A (ko) * 2011-06-10 2012-12-20 한국전자통신연구원 인증서 검증 시스템 및 그 방법
KR20170125495A (ko) * 2016-05-04 2017-11-15 주식회사 수산아이앤티 암호화 통신 세션 처리 방법 및 장치
KR20180041840A (ko) * 2016-10-17 2018-04-25 권오준 암호화 통신 시스템 및 방법, 이를 위한 가드 시스템 및 사용자 단말기

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113938314A (zh) * 2021-11-17 2022-01-14 北京天融信网络安全技术有限公司 一种加密流量的检测方法及装置、存储介质
CN113938314B (zh) * 2021-11-17 2023-11-28 北京天融信网络安全技术有限公司 一种加密流量的检测方法及装置、存储介质
CN114928452A (zh) * 2022-05-17 2022-08-19 壹沓科技(上海)有限公司 访问请求验证方法、装置、存储介质及服务器
CN114928452B (zh) * 2022-05-17 2024-02-13 壹沓科技(上海)有限公司 访问请求验证方法、装置、存储介质及服务器
CN115941361A (zh) * 2023-02-16 2023-04-07 科来网络技术股份有限公司 恶意流量识别方法、装置及设备
CN115941361B (zh) * 2023-02-16 2023-05-09 科来网络技术股份有限公司 恶意流量识别方法、装置及设备

Also Published As

Publication number Publication date
KR20210117006A (ko) 2021-09-28
KR102336605B1 (ko) 2021-12-09

Similar Documents

Publication Publication Date Title
WO2021187782A1 (fr) Procédé de détection de trafic malveillant et dispositif associé
Hong P2P networking based internet of things (IoT) sensor node authentication by Blockchain
US7970900B2 (en) Method and system for establishing a security perimeter in computer networks
CN108965215B (zh) 一种多融合联动响应的动态安全方法与系统
CN114598540B (zh) 访问控制系统、方法、装置及存储介质
US6212636B1 (en) Method for establishing trust in a computer network via association
JP2019526993A (ja) ネットワーク機能仮想化システム及び検証方法
WO2018157247A1 (fr) Système et procédé destinés à sécuriser des communications avec des dispositifs de sécurité distants
JP2019536157A (ja) 透過性多要素認証およびセキュリティ取り組み姿勢チェックのためのシステムおよび方法
US20080244716A1 (en) Telecommunication system, telecommunication method, terminal thereof, and remote access server thereof
CN110198297A (zh) 流量数据监控方法、装置、电子设备及计算机可读介质
CN111314381A (zh) 安全隔离网关
CN115603932A (zh) 一种访问控制方法、访问控制系统及相关设备
US8850576B2 (en) Methods for inspecting security certificates by network security devices to detect and prevent the use of invalid certificates
Temdee et al. Security for context-aware applications
KR100862321B1 (ko) 시그니처를 사용하지 않는 네트워크 공격 탐지 및 차단방법 및 장치
Anderson Securing embedded linux
WO2016182329A1 (fr) Système et procédé de sécurité de réseau pour marquer des sites bloqués
CN113242249B (zh) 一种会话控制方法和设备
WO2020005047A1 (fr) Procédé de re-signature numérique pour prendre en charge divers algorithmes de signature numérique dans un appareil de déchiffrement de couche de sockets sécurisée
KR20220042593A (ko) 네트워크 정보 보호 방법 및 장치
Kossakowski et al. Securing public web servers
CN114448681A (zh) 一种能源站用户数据无线通信系统及实验平台
CN118018234A (zh) 云桌面接入方法、云桌面终端、sdp控制器、设备及介质
Mappings CWE-305: Authentication Bypass by Primary Weakness

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21772622

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21772622

Country of ref document: EP

Kind code of ref document: A1