Abstract: Provided is a method performed by a computing device for identifying a device. The method include receiving a target packet from an identification target device, extracting a pattern of the target packet, the target packet being transmitted by the identification target device from the packet, matching the pattern of the target packet with at least one of packet patterns stored in an identification information DB, comparing a first model name with a second model name, the first model name being corresponding to the matched pattern stored in the identification information DB, the second model name being selected by a user of a user terminal, and transmitting a proposed model name to the user terminal based on determining that the first model name and the second model name are different, the proposed model name being used for connection between the user terminal and the identification target device.

Abstract: Provided are a method for detecting an anomaly in devices, the method being performed by a computing device and comprising: acquiring operation information on a first device connected to a security management unit (SMU) of a first domain, and operation information on a second device connected to a SMU of a second domain, and detecting an anomaly in the first device and/or the second device by comparing the operation information on the first device with the operation information on the second device, wherein the SMU of the first domain is not directly connected to the SMU of the second domain.

Abstract: A method for collecting dark web information is provided. The method for collecting dark web information is performed by a computing device and comprises obtaining a list of onion addresses of a plurality of target dark web sites, accessing at least one of the plurality of target dark web sites, collecting web page information of the accessed dark web site, storing information on the accessed dark web site by analyzing the collected web page information and providing an analysis result of the accessed dark web site by using the stored information on the accessed dark web site.

Abstract: A method for identifying a type of a variable within a binary performed on a computing device is provided. The method comprises, identifying a variable from disassembly code of a binary, and determining a type of the variable based on an instruction of the disassembly code, associated with the variable.

Abstract: Provided is a method for rearranging traffic data performed by a computing device. The method comprises obtaining traffic data transmitted and received between a base station and a terminal, calculating a value of a Radio Resource Control (RRC) inactivity timer based on a RRC release message included in the traffic data, determining a size of a time window using the calculated value of the RRC inactivity timer and rearranging, for each time window having the determined size, the traffic data of a target terminal by an RRC connection request time.

Abstract: Provided is a method for detecting abnormal traffic. The method comprises collecting non-access stratum (NAS) traffic between a user equipment (UE) and a mobility management node, identifying a ciphering algorithm supported by the UE from a network access request message transmitted from the UE to the mobility management node, and identifying the UE as a first type of terminal at risk based on a determination that the UE only supports a null ciphering algorithm.

Abstract: There is provided a method of generating malicious traffic, the method being performed by a computing apparatus and comprising obtaining traffic data transmitted from a first device infected with first malicious code or received by the first device, generating a traffic template of the first device by analyzing the traffic data, and generating a malicious traffic template of a terminal group, wherein the malicious traffic template of the terminal group comprises the traffic template of the first device.

Abstract: There is provided a method of patching a binary having vulnerability which is performed by a computing device. The method comprises loading a first binary to be patched, into a memory, generating a second binary by patching to call a stack frame initialization function from a vulnerable function of the first binary, executing the stack frame initialization function by calling the vulnerable function when the second binary is executed and initializing a stack frame area of the vulnerable function so as to automatically initialize a variable declared in the vulnerable function.

Abstract: Provided is a method performed by a computing device for detecting abnormal behavior in a network. The method comprises obtaining a plurality of individual rules, wherein an individual rule of the plurality of individual rules is for extracting first output data from at least one input data set among a plurality of input data sets, the first output data satisfying a first extraction condition, obtaining a plurality of association rules, wherein an association rule of the plurality of association rules is for extracting second output data from at least one of the plurality of input data sets and the first output data, the second output data satisfying a second extraction condition and detecting abnormal behavior in a network based on third output data, the third output data being extracted using one of the plurality of individual rules and the plurality of association rules.

Abstract: An apparatus comprising a processor to execute the rule optimizer to perform a number of operations. One operation comprises obtaining 5 log data including a result of detecting an exploit attack based on a rule. Another operation comprises time-series analyzing the obtained log data to update at least some of previously applied detection rules. There is provided an apparatus for automatically optimizing a rule to improve the detection accuracy for an exploit attack in a rule-based attack detection system, and a method performed on the apparatus.

Abstract: A method and apparatus for analyzing cyber threat intelligence data. The method includes: acquiring first and second CTI graphs including first and second CTI data, respectively, classified based on a first classification item; classifying the first CTI data and the second CTI data based on a second classification item determined depending on the first classification item; outputting a graph similarity of the first and second CTI graphs determined based on a first CTI similarity between the first and second CTI data when the first and second CTI data belong to the same classification as a result of the classification; setting the first CTI graph and the second CTI graph to be included in one group when the graph similarity is equal to or greater than a threshold value; and outputting CTI information including the first and second CTI data for each group.

Abstract: Provided are a method and apparatus for selecting key information of each group in grouped graph data. According to embodiments, key information of each group is selected using a term frequency-inverse document frequency (TF-IDF) value obtained for each node belonging to each group by using a TD-IDF algorithm for obtaining the importance of each term or keyword in a document.

Abstract: Disclosed herein are a method and system for collecting cyber threat intelligence (CTI) data. The system includes a management server that determines agent configuration values associated with an OSINT providing source, an agent that receives the agent configuration values from the management server, performs a data collection task for collecting the CTI data based on the agent configuration values, and transmits the CTI data and data collection status information to the management server, a threat information database where which the CTI data is logged, and a system database where the data collection status information is logged.

Abstract: Provided are a method for abbreviating grouped graph data and an apparatus to which the method is applied. According to an embodiment, the method for abbreviating graph data comprises obtaining source information that is information on a graph structure and grouping information that reflects a result of clustering for the source information, obtaining one or more abbreviation candidate network motifs that all member nodes of the network motifs belong to the same group, among original network motifs extracted from the source information, selecting an abbreviation target network motif based on a sum of levels of edges belonging to the abbreviation candidate network motif of the abbreviation candidate network motifs and replacing the abbreviation target network motif with a single node.

Abstract: Provided are methods of detecting a Diameter spoofing attack. According to an embodiment, the method comprises, obtaining a normal International Mobile Subscriber Identity (IMSI) from a packet of a Diameter S6a protocol transmitted from a Mobile Management Entity (MME) to a Home Subscriber Server (HSS) of a home network, adding a record comprising the normal IMSI to a session table, obtaining an Insert Subscriber Data Request (IDR) message of the Diameter S6a protocol and determining a category of the IDR message.

Abstract: Provided is a method for classifying a cyber-attack performed in a computing device having an artificial neural network. The method comprises obtaining a plurality of features extracted from collected packets and inputting the plurality of features into the artificial neural network and using data output from the artificial neural network to determine a type of cyber-attack indicated by the collected packet.

Abstract: Provided are a method for detecting an anomaly in devices, the method being performed by a computing device and comprising: acquiring operation information on a first device connected to a security management unit (SMU) of a first domain, and operation information on a second device connected to a SMU of a second domain, and detecting an anomaly in the first device and/or the second device by comparing the operation information on the first device with the operation information on the second device, wherein the SMU of the first domain is not directly connected to the SMU of the second domain.

Abstract: There is provided a method of generating malicious traffic, the method being performed by a computing apparatus and comprising obtaining traffic data transmitted from a first device infected with first malicious code or received by the first device, generating a traffic template of the first device by analyzing the traffic data, and generating a malicious traffic template of a terminal group, wherein the malicious traffic template of the terminal group comprises the traffic template of the first device.

Abstract: There is provided a method of tracking the location of the cause of a binary vulnerability, the method being performed by a computing apparatus and comprising: adding first taint information for a first operand register tainted by input data of an error-causing case, generating second taint information for a second operand register tainted by data of the first operand register by using the first taint information; and tracking input data that caused an error among the input data of the error-causing case by tracing back taint information of a register of each operand from a point where the error occurred.

Abstract: Provided is an Internet protocol (IP) generation method. The method is performed by an IP generation apparatus comprising one or more processors and memory and includes: forming a plurality of initialized partial numbers by dividing a decimal number indicating a count of IP addresses that can be generated; changing the partial numbers according to a predetermined rule; generating an IP decimal number by linking the changed partial numbers; generating a random IP address from the IP decimal number; and generating a plurality of different random IP addresses with improved time efficiency, by sequentially repeating the changing of the partial numbers, the generating of the IP decimal number and the generating of the random IP address.