Abstract: Provided is a method for detecting abnormal traffic. The method comprises collecting non-access stratum (NAS) traffic between a user equipment (UE) and a mobility management node, identifying a ciphering algorithm supported by the UE from a network access request message transmitted from the UE to the mobility management node, and identifying the UE as a first type of terminal at risk based on a determination that the UE only supports a null ciphering algorithm.

Abstract: Provided is a method for detecting abnormal traffic. The method comprises collecting non-access stratum (NAS) traffic between a user equipment (UE) and a mobility management node, identifying a ciphering algorithm supported by the UE from a network access request message transmitted from the UE to the mobility management node, and identifying the UE as a first type of terminal at risk based on a determination that the UE only supports a null ciphering algorithm.

Abstract: Provided are methods of detecting a Diameter spoofing attack. According to an embodiment, the method comprises, obtaining a normal International Mobile Subscriber Identity (IMSI) from a packet of a Diameter S6a protocol transmitted from a Mobile Management Entity (MME) to a Home Subscriber Server (HSS) of a home network, adding a record comprising the normal IMSI to a session table, obtaining an Insert Subscriber Data Request (IDR) message of the Diameter S6a protocol and determining a category of the IDR message.

Abstract: Disclosed is a method of detecting anomalies suspected of an attack based on time series statistics according to the present invention. The method of detecting anomalies suspected of an attack according to the present invention includes the steps of: collecting log data and traffic data in real-time and extracting at least one piece of preset traffic feature information from the collected log data and traffic data; and training through a time series analysis-based normal traffic training model using the extracted traffic feature information, and detecting abnormal network traffic according to a result of the training.

Abstract: A system for detecting malicious codes based on API includes: a malicious code management server storing first suspected malicious executable files extracted from traffic to be analyzed collected or inputted; and a virtualization analysis server executing the first suspected malicious executable files received from the malicious code management server, extracting first API call information called by malicious codes in user level and in kernel level, and transmitting the extracted first API call information to the malicious code management server.

Abstract: A system for analyzing large-scale malicious codes includes a malicious code management server dividing suspected malicious traffic collected into a plurality of first suspected malicious executable files and transmitting the plurality of first suspected malicious executable files to at least one or more virtualization analysis servers; and the at least one or more virtualization analysis servers executing the plurality of first suspected malicious executable files through a plurality of virtualization analysis agents load-balanced correspondingly to the plurality of first suspected malicious executable files and extracting first API call information called by malicious codes in user level and in kernel level.