Abstract: Provided is a ransomware detection method of an electronic device, including: generating monitoring information including information on a first file in response to an open of a first file; setting any one of a first flag corresponding to file generation and a second flag corresponding to file deletion in the monitoring information in response to a first behavior associated with the first file; setting a flag different from the flag set in the monitoring information in response to the first behavior among the first and second flags in the monitoring information in response to a second behavior that is a subsequent behavior of the first behavior; and detecting a process associated with the ransomware by performing analysis based on the first and second flags set in the monitoring information.

Abstract: An apparatus for traffic security processing in a slicing service of mobile edge computing according to an embodiment of the present invention includes: a plurality of security modules for analyzing a received packet to respectively execute security functions suitable for slicing security of mobile edge computing; a controller for managing a slicing security module list in the mobile edge computing; and a main security module for analyzing a received packet on the basis of the slicing security module list to determine a security function to be executed and priority of the security function to be executed, wherein the controller transmits the received packet to at least one corresponding security module among the plurality of security modules according to the priority of the security function to be executed, which is determined by the main security module.

Abstract: Disclosed is an apparatus for distributed processing of an identical packet in high-speed network security equipment, including: a plurality of analysis modules for each determining whether vulnerability analysis is required by analyzing a received packet; a circular queue for receiving the packet from an analysis module initially determining that the vulnerability analysis is required and storing the received packet as a bucket structure; and a plurality of analysis engines for each performing different vulnerability analyses for the packet acquired from the circular queue based on a packet address of the bucket structure, in which the bucket structure includes a packet data storage unit and packet use information storage units which are as many as the plurality of analysis engines, and the packet use information storage units store packet use information of the plurality of respective analysis engines, respectively.

Abstract: Disclosed is an apparatus for distributed processing of an identical packet in high-speed network security equipment, including: a plurality of analysis modules for each determining whether vulnerability analysis is required by analyzing a received packet; a circular queue for receiving the packet from an analysis module initially determining that the vulnerability analysis is required and storing the received packet as a bucket structure; and a plurality of analysis engines for each performing different vulnerability analyses for the packet acquired from the circular queue based on a packet address of the bucket structure, in which the bucket structure includes a packet data storage unit and packet use information storage units which are as many as the plurality of analysis engines, and the packet use information storage units store packet use information of the plurality of respective analysis engines, respectively.

Abstract: The present disclosure relates to an apparatus and method for reconfiguring a signature used in a signature-based abnormal traffic detection scheme. A signature reconfiguration method of the present disclosure comprises: selecting a signature from a signature list and dividing the selected signature into a plurality of signature fragments; calculating a first impact for each of a plurality of load elements by inspection of the plurality of signature fragments for the plurality of load elements; calculating a second impact for each of the plurality of load elements by applying a weight for each of the plurality of load elements to the first impact; calculating a final load impact for each signature fragment by summing corresponding second impacts to each signature fragment among the calculated second impacts; and rearranging an order of the plurality of signature fragments according to a magnitude of the calculated final load impact.

Abstract: Provided are a multi-pattern policy detection system and method, wherein, in an environment that operates a plurality of policies for determining matching or non-matching by a string or a normalized format, the plurality of policies are expressed by a data structure that is searchable at a time, and are optimized to improve search performance.

Abstract: An intrusion protection system (IPS) switch system forwards traffic inserted from a switch to a destination port, simultaneously copying and storing the traffic output to an internal port by a port mirroring method of the switch, detecting maleficence inspection of the stored packet based on a protocol/pattern, providing a blocking control policy (e.g., Access Control List (ACL)) to an output port of the switch based on IP or MAC information of the terminal detected of maleficence to prevent expansion of maleficent packets, and transmitting traffic whose destination is outside to the IPS processor to transmit only normal packets to the outside after detecting/blocking maleficence based on the protocol/pattern, and a processing method thereof.

Abstract: Disclosed is an apparatus for verifying a malicious code machine learning classification model, which includes: a main feature processing subsystem performing feature extracting and processing functions in an input file; and a multi-layer cyclic verification subsystem performing multi-layer verification in order to determine whether the file is normal or malicious based on the extracted and processed features to verify a machine learning model that classifies malicious codes, thereby ensuring reliability of a prediction result for a machine learning model.

Abstract: Provided are a multi-pattern policy detection system and method, wherein, in an environment that operates a plurality of policies for determining matching or non-matching by a string or a normalized format, the plurality of policies are expressed by a data structure that is searchable at a time, and are optimized to improve search performance.

Abstract: The present invention relates to a multicore communication processing service. More specifically, aspects of the present invention provide a technology for converting a plurality of data packet units into one jumbo frame unit, copying the converted jumbo frame to a plurality of dual in-line memories (DIMMs) by logical distribution, and computing the jumbo frame through each CPU including multicore processors corresponding to the plurality of DIMM channels, thereby reducing the number of packets per second and securing efficiency in memories and CPU resources, and also adding/removing a header field for each data packet included in the jumbo frame according to a path transmitted or received from a network interface card (NIC) of the jumbo frame or processing the data packet using the header field only, thereby minimizing packet receive event and reducing context switching generated upon the packet receive event, which results in improvement of jumbo frame processing performance.

Abstract: The present invention is directed to configure an effective search node based on splitting, regrouping, complexity calculation, and learning information, and perform high-performance regular expression search. To this end, the present invention includes: a policy database; a regular expression extraction processor; a regular expression fragment processor that splits each of the regular expression character strings extracted by the regular expression extraction processor in accordance with a fragmentation rule; a regular expression normalization processor that generates an optimized regular expression fragment table; a cost calculation engine processor that determines a cost for each of the regular expression fragments; a decision tree generation processor that generates a decision tree based on cost information; and a pattern matching engine processor that configures a search engine.

Abstract: A system and method for providing authentication service for IoT security are disclosed herein. The system for providing authentication service for IoT security includes an Internet of Things (IoT) service server, and an IoT gateway node. The IoT service server supports an IoT communication service in accordance with an IoT communication service policy. The IoT gateway node receives an IoT service request from a terminal attempting to control an IoT device that supports the IoT communication service while operating in conjunction with the IoT service server, identifies whether the terminal attempting to control the IoT device is a normal user based on profile information, collected from the terminal via the IoT service request, via the IoT service server, and performs the security authentication of the IoT device.

Abstract: An apparatus and method for providing analysis service based on behavior in a mobile network environment are disclosed. The apparatus includes a control unit configured to control the path of a packet based on predetermined policy information, to block the packet based on a result of an analysis of the packet, or to extract information about the packet and selectively process the extracted information based on the predetermined policy information; a download path and file management engine configured to collect downloaded files corresponding to the URL of the packet, to extract the downloaded files as an app file, and to transfer the extracted app file to a virtual machine; and a virtual machine management engine unit configured to determine whether malware is present in the app file and whether the app file has accessed the resources, and to selectively manage the corresponding app based on a result of the determination.

Abstract: The present invention includes creating a session in response to a session setup request for a general packet radio service (GPRS) application service, receiving GTP packet data using GPRS tunneling protocol (GTP) tunnel, performing decoding on the GTP packet data, determining whether there is an attack attributable to malicious behavior based on a predetermined management DB, identifying the type of the GTP packet data as the type of GTP packet for attacked GTP packet data and the type of GTP packet for non-attacked packet data based on a result of the determination, carrying out a predetermined policy for the identified type of GTP packet, performing the standardization of the packet data of each GTP version, determining whether the standardized packet data has been registered with a hash buffer in accordance with the type of pairing message for each command, and processing a session based on a result of the determination.

Abstract: An automatic malignant code collecting system comprises a first database configured to store detection target website information, a virtual machine controller configured to read the website information from the first database and transmit the website information, a first virtual machine configured to periodically gain access to a website using the website information and to collect a malignant code and evidence thereof if an abnormal event occurs when the first virtual machine gains access to the website, a second virtual machine configured to periodically gain access to the same website as accessed by the first virtual machine using the website information received from the virtual machine controller and to collect a malignant code and evidence thereof if an abnormal event occurs when the second virtual machine gains access to the website, and a second database configured to store the malignant code and the evidence thereof collected by the first virtual machine and the second virtual machine.

Abstract: A fast application recognition system includes an output management unit to buffer an input packet and transmit the packet to an outside according to control information, a preprocessing path selection unit to receive the packet from the output management unit, extract control information corresponding to a packet's header information, and return the extracted control information to the output management unit, a primary processing unit to receive a packet not processed at the preprocessing path selection unit, extract control information corresponding to a packet's pattern using a primary pattern database, and return the extracted control information to the output management unit, and a statistics control unit to receive a packet from the output management unit according to the control information and the primary processing unit, extract control information corresponding to a packet's pattern using a secondary pattern database, and return the extracted control information to the output management unit.

Abstract: A pattern matching system for a network security device includes a pattern matching card configured to generate a pattern matching result by matching data of a received packet with a pre-stored pattern of a signature pattern table, and an analyzing engine configured to copy the packet and transfer the copied packet to the pattern matching card and configured to detect a bad traffic based on packet analysis information of the packet and the pattern matching result received from the pattern matching card. The analyzing engine is configured to detect a bad traffic based on a pattern matching result for a single packet and packet analysis information during a single-packet-based analysis and is configured to detect a bad traffic based on a pattern matching result for successive packets and packet analysis information during a multi-packet-based analysis.

Abstract: A fast application recognition system includes an output management unit to buffer an input packet and transmit the packet to an outside according to control information, a preprocessing path selection unit to receive the packet from the output management unit, extract control information corresponding to a packet's header information, and return the extracted control information to the output management unit, a primary processing unit to receive a packet not processed at the preprocessing path selection unit, extract control information corresponding to a packet's pattern using a primary pattern database, and return the extracted control information to the output management unit, and a statistics control unit to receive a packet from the output management unit according to the control information and the primary processing unit, extract control information corresponding to a packet's pattern using a secondary pattern database, and return the extracted control information to the output management unit.