Patent application number | Description | Published |
20080291912 | SYSTEM AND METHOD FOR DETECTING FILE - The present invention relates to a file detecting system and a method thereof. The file detecting system uses a signature of a file header and collects a network packet including a file to be detected among packets transmitted/received through a network. Subsequently, after the network protocol header is eliminated from the collected network packet, the file is reassembled and recovered. The recovered file is verified, and the verified file is transmitted to various file analysis systems. | 11-27-2008 |
20090133125 | METHOD AND APPARATUS FOR MALWARE DETECTION - The present invention relates to an apparatus and method for detecting malware. The malware detection apparatus and method of the present invention determines whether a file is malware or not by analyzing the header of an executable file. Since the malware detection apparatus and method can quickly detect presence of malware, it can shorten detection time considerably. The malware detection apparatus and method can also detect even unknown malware as well as known malware to thereby estimate and determine presence of malware. Therefore, it is possible to cope with malware in advance, protect a system with a program, and increase security level remarkably. | 05-21-2009 |
20090158431 | METHOD OF DETECTING POLYMORPHIC SHELL CODE - There is provided a method of detecting a polymorphic shell code. The decoding routine of the polymorphic shell code is detected from received data. In order for the decoding routine to access the address of an encoded code, the address of a currently executed code is stored in a stack, the value is moved in a register table, and it is determined whether the value is actually used for operating a memory. Emulation is finally performed and the degree of correctness of detection is improved. Therefore, time spent on detecting the polymorphic shell code and an overhead are reduced and the correctness of detection is increased. | 06-18-2009 |
20100146621 | METHOD OF EXTRACTING WINDOWS EXECUTABLE FILE USING HARDWARE BASED ON SESSION MATCHING AND PATTERN MATCHING AND APPRATUS USING THE SAME - A method and apparatus for extracting a windows executable file that can search for a pattern related to windows executable files among a large quantity of network packets using a hardware-based session tracking and pattern matching technology and that can extract all packets included in the corresponding session are provided. The method of extracting a windows executable file includes: collecting incoming packets having a payload according to a session of a reference packet having an MZ pattern; performing a portable executable (PE) pattern matching for the collected incoming packets; and forming a PE file based on at least one incoming packet satisfying the PE pattern matching. | 06-10-2010 |
20100153421 | DEVICE AND METHOD FOR DETECTING PACKED PE FILE - The present invention discloses a device and method for detecting a packed PE (portable executable) file. In the device and method for detecting a packed PE file, information for detecting packing are extracted by analyzing the header of a target file, and a record containing characteristic values shown only in a packed PE file is created by using the extracted information. The packing of the target file is detected by calculating the similarity with a PE file which is not packed based on the created record and comparing it with a derived threshold value. Therefore, a packed PE file can be detected even if it is packed by a packing method which is not well-known. | 06-17-2010 |
20120167222 | METHOD AND APPARATUS FOR DIAGNOSING MALICOUS FILE, AND METHOD AND APPARATUS FOR MONITORING MALICOUS FILE - An apparatus for diagnosing malicious files includes a information transferring unit configured to receive information regarding a malicious file distributed in a management network and an execution file generated by assembling packets collected from the management network; an anti-virus engine configured to determine whether or not the execution file is malicious to generate information regarding a new malicious file; and a management unit configured to transfer the information regarding the malicious file and the information regarding the new malicious file to a terminal device on the management network through the information transferring unit. | 06-28-2012 |
20120324573 | METHOD FOR DETERMINING WHETHER OR NOT SPECIFIC NETWORK SESSION IS UNDER DENIAL-OF-SERVICE ATTACK AND METHOD FOR THE SAME - Provided is an apparatus and method for determining whether or not a specific network session is under a denial-of-service (DoS) attack. The method includes detecting a packet transmitted in the session, initializing the number of attack-suspicion continuation packets, increasing the number of attack-suspicion continuation packets by a predetermined number, and determining that the session is under the DoS attack. | 12-20-2012 |
20130091085 | INSIDER THREAT DETECTION DEVICE AND METHOD - The present invention relates to an insider threat detection device and method which collects and analyzes a variety of information generated by insiders working for an organization, such as behaviors, events, and states of the insider, and detects an abnormal insider who may become a potential threat. According to the present invention, the insider threat detection method and apparatus analyzes information related to insiders using the correlation analysis method, and previously detects an abnormal sign of an insider who may become a potential threat to an organization, which makes it possible to protect the organization from attacks on systems inside the organization or seizure of important information inside the organization. | 04-11-2013 |
20140297004 | METHOD FOR DETECTING ABNORMAL TRAFFIC ON CONTROL SYSTEM PROTOCOL - A method for detecting an abnormal traffic on a control system protocol, includes: checking whether session information exists in a management table; adding a new entry to the management table; checking whether a transaction ID in a table entry is the same as that of the received MODBUS request message; and checking whether data and length thereof of the received MODBUS request message are the same as those in the table entry. Further, the method includes detecting an abnormal traffic; and updating the table entry with packet information of the MODBUS request message. | 10-02-2014 |
20140298399 | APPARATUS AND METHOD FOR DETECTING ANOMALITY SIGN IN CONTROLL SYSTEM - An apparatus for detecting an abnormality sign in a control system, the control system comprising control equipments, network equipments, security equipments or server equipments, the apparatus includes an information collection module configured to collect system information, network information, security event information or transaction information in interworking with a control equipments, network equipments, security equipments or server equipments. The apparatus includes storage module that stores the information collected by the information collection module. The apparatus includes an abnormality detection module configured to analyze a correlation between the collected information and a prescribed security policy to detect whether there is an abnormality sign in the control system. | 10-02-2014 |
20140304817 | APPARATUS AND METHOD FOR DETECTING SLOW READ DoS ATTACK - A method for detecting a slow read DoS attack in a virtualized environment, the method comprising: receiving a connection request packet transmitted from a client to a server using a web protocol; checking whether the received packet is a TCP SYN packet or a packet of an HTTP GET request message; when it is checked that the received packet is the packet of the HTTP GET request message, detecting whether the received packet is a packet for the slow read DoS attack by analyzing a window size of the HTTP GET request message. | 10-09-2014 |