Abstract: An event processing method performed by a computing device is provided. The method may comprise receiving a plurality of events and generating a first event sequence in which the received events are sequentially arranged, determining first priorities for the events included in the first event sequence, using data output from a previously trained priority decision model, verifying the first priorities by comparing the first priorities with second priorities for the events included in the first event sequence, determining a feedback score for the first priorities based on results of the verification; and reinforcing the training of the priority decision model using the feedback score.

Abstract: The method for automatically generating a playbook performed by a computing apparatus according to the present disclosure comprises periodically collecting asset information and CTI (Cyber Threat Intelligence) information of a target network, extracting TTP (Tactics, Techniques, Procedure) information using the collected asset information and the collected CTI information, retrieving a data source of the extracted TTP information, generating a temporary playbook including a data component matching a detection method of the extracted TTP information among a plurality of data components of the retrieved data source, verifying validity of the temporary playbook based on data component order information of the temporary playbook and determining whether rearrangement of data components included in the temporary playbook is needed, and rearranging data components included in the temporary playbook, and storing it as a final playbook.

Abstract: An apparatus for collecting meta data related to malicious code meta information, includes: an application programming interface (API) key setting unit configured to register as a member of a collection channel related to malicious code of cyber attacks, and set the API key as an initialization input; a collection channel access unit configured to, upon input of the set API key, access the collection channel; an execution command interpretation unit configured to, subsequent to accessing the collection channel, upon input of an execution command, interpret the input execution command; and a meta information management unit configured to, based on API information provided from the collection channel according to the interpreted execution command, extract at least one piece of meta information for identifying an attack group, and manage the at least one piece of meta information in a JSON format for each attack group.

Abstract: A device for automatically sorting a cyber attack includes an event feature generator that extracts a unique attacker IP by analyzing attacker IPs for each of the different kinds of security devices, and generates AI learning features of the security events of the different kinds of security devices including feature numerical data quantifying at least two or more features through attack information analysis recorded in the different kinds of security devices based on the information on the security events of the different kinds of security devices mapped to the extracted unique attacker IP, and an attack type sorter that learns the generated feature numerical data using an unsupervised learning algorithm, generates clustering data by sorting the feature numerical data into similar attack data and clustering sorted feature numerical data, and then analyzes the generated clustering data to identify a short-term or long-term attacker's cyber attack type.

Abstract: Disclosed are a system and method for automatically generating a playbook and verifying validity of a playbook based on artificial intelligence, wherein the system present invention includes a system for automatically generating a playbook that automatically generates the playbook, and a system for verifying validity of a playbook that is connected to the system for automatically generating a playbook through a network to perform the verification of the validity on the playbook received from the system for automatically generating a playbook.

Abstract: A method of supporting decision-making of security control includes: (a) when an system for automatically analyzing a security threat receives a security warning from a security device, collecting security threat events generating the security warning from the security device; (b) when the collected security threat events exceed a preset event processing threshold, generating, by the system for automatically analyzing a security threat, a first request message for preferentially processing a security event; (c) when receiving the first request message generated from the system, determining, by the system for supporting priority of security control, a priority processing order of the security threat events, and notifying the system; and (d) when receiving the second request message generated from the system, determining, by the system for supporting priority of security control, a priority processing order and notifying the system for automatically analyzing a security threat of the determined priority process

Abstract: A method for identifying a wallet address associated with a virtual asset service provider is provided. The method comprises receiving a target wallet address, obtaining a transaction of a virtual asset associated with the target wallet address, obtaining a list of a plurality of known wallet addresses of virtual asset service providers (VASPs) and identifying a type of the target wallet address, by performing at least one of a cold wallet determination routine and a hot wallet determination routine for the target wallet address, based on the transaction and the list of known wallet addresses of the VASPs.

Abstract: A method for collecting dark web information is provided. The method for collecting dark web information is performed by a computing device and comprises obtaining a list of onion addresses of a plurality of target dark web sites, accessing at least one of the plurality of target dark web sites, collecting web page information of the accessed dark web site, storing information on the accessed dark web site by analyzing the collected web page information and providing an analysis result of the accessed dark web site by using the stored information on the accessed dark web site.

Abstract: Disclosed are a system and a method for detecting session initiation protocol (SIP) noncoding, and more particularly, to a system and a method for detecting SIP noncoding, which can manage reputation of a client terminal according to whether or not the client terminal sends an encoded SIP message through a 5G non-standalone/Standalone (5G NSA/SA), thereby preventing an SIP spoofing attack.

Abstract: Disclosed is a system and a method of supporting a decision-making for security management to cause a security controller to rapidly take precautions against a threat, the system comprising: an interface unit configured to receive a request for support of a decision-making, and a processing unit configured to support at least one decision-making concerning materialization of the threat, the selection of a security event to be preferentially processed, or the recommendation of a most suitable response according to the request for the support of the decision-making.

Abstract: Disclosed is a system and a method of automatizing a threat analysis based on artificial intelligence according to the present invention, the system comprising: a playbook automatic-generation module configured to generate a playbook based on a template by utilizing an artificial learning model; a playbook verification and management module configured to verify effectiveness of the playbook generated by the playbook automatic-generation module; a playbook database configured to save the playbook verified by the playbook verification and management module; and a playbook execution module configured to automatically execute any playbook corresponding to a detected event through matching therebetween from the playbook database.

Abstract: Disclosed is a system and a method of detecting an abnormal act threatening to security based on artificial intelligence according to the present invention, and, more particularly, a system and a method of detecting an abnormal act threatening to security based on artificial intelligence that are capable of rapidly carrying out pre-processing of a large-scaled data set based on multi processing, and efficiently detecting the abnormal act threatening to security via various pieces of security device on the basis of studied artificial intelligence.

Abstract: A method for identifying a wallet address associated with a virtual asset service provider is provided. The method comprises receiving a target wallet address, obtaining a transaction of a virtual asset associated with the target wallet address, obtaining a list of a plurality of known wallet addresses of virtual asset service providers (VASPs) and identifying a type of the target wallet address, by performing at least one of a cold wallet determination routine and a hot wallet determination routine for the target wallet address, based on the transaction and the list of known wallet addresses of the VASPs.

Abstract: A method for identifying a wallet address associated with a virtual asset service provider is provided. The method comprises receiving a target wallet address, obtaining a transaction of a virtual asset associated with the target wallet address, obtaining a list of a plurality of known wallet addresses of virtual asset service providers (VASPs) and identifying a type of the target wallet address, by performing at least one of a cold wallet determination routine and a hot wallet determination routine for the target wallet address, based on the transaction and the list of known wallet addresses of the VASPs.

Abstract: A method for collecting dark web information is provided. The method for collecting dark web information is performed by a computing device and comprises obtaining a list of onion addresses of a plurality of target dark web sites, accessing at least one of the plurality of target dark web sites, collecting web page information of the accessed dark web site, storing information on the accessed dark web site by analyzing the collected web page information and providing an analysis result of the accessed dark web site by using the stored information on the accessed dark web site.

Abstract: A method for identifying a wallet address associated with a virtual asset service provider is provided. The method comprises receiving a target wallet address, obtaining a transaction of a virtual asset associated with the target wallet address, obtaining a list of a plurality of known wallet addresses of virtual asset service providers (VASPs) and identifying a type of the target wallet address, by performing at least one of a cold wallet determination routine and a hot wallet determination routine for the target wallet address, based on the transaction and the list of known wallet addresses of the VASPs.

Abstract: Provided is a method performed by a computing device for classifying a type of exploit.

Abstract: Provided is a method performed by a computing device for monitoring an abnormal behavior of a plurality IoT devices. The method comprises determining abnormality of a behavior of each of the plurality of IoT devices based on traffic data representing the behavior of each of the plurality of IoT devices, clustering the behavior of each of the plurality of IoT devices based on the traffic data and a result of the determining the abnormality and generating data for representing a plurality of clusters formed as a result of the clustering such that a first cluster corresponding to a normal behavior cluster and a second cluster corresponding to an abnormal behavior cluster are displayed on different planes, the first cluster and the second cluster being divided based on the result of the determining the abnormality.

Abstract: Provided is a method for detecting abnormal traffic. The method comprises collecting non-access stratum (NAS) traffic between a user equipment (UE) and a mobility management node, identifying a ciphering algorithm supported by the UE from a network access request message transmitted from the UE to the mobility management node, and identifying the UE as a first type of terminal at risk based on a determination that the UE only supports a null ciphering algorithm.

Abstract: Provided is a method performed by a computing device for identifying a device. The method include receiving a target packet from an identification target device, extracting a pattern of the target packet, the target packet being transmitted by the identification target device from the packet, matching the pattern of the target packet with at least one of packet patterns stored in an identification information DB, comparing a first model name with a second model name, the first model name being corresponding to the matched pattern stored in the identification information DB, the second model name being selected by a user of a user terminal, and transmitting a proposed model name to the user terminal based on determining that the first model name and the second model name are different, the proposed model name being used for connection between the user terminal and the identification target device.