Patents by Inventor Byoung-Koo Kim
Byoung-Koo Kim has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9183382Abstract: A server receives a first echo request message which complies with an Internet control message protocol, extracts filtering information from hear information of the received first echo request message, and when a second echo request message which complies with the Internet control message protocol is received, compares header information of the received second echo request message and the extracted filtering information so as to determine whether to block an attacking packet for the received second echo request message. According to the present invention, the server blocks the attacking packet using the Internet control message protocol, thereby blocking a denial-of-service attack.Type: GrantFiled: December 14, 2011Date of Patent: November 10, 2015Assignee: Electronics and Telecommunications Research InstituteInventors: Byoung-Koo Kim, Seung-Yong Yoon
-
Patent number: 9130983Abstract: An apparatus for detecting an abnormality sign in a control system, the control system comprising control equipments, network equipments, security equipments or server equipments, the apparatus includes an information collection module configured to collect system information, network information, security event information or transaction information in interworking with a control equipments, network equipments, security equipments or server equipments. The apparatus includes storage module that stores the information collected by the information collection module. The apparatus includes an abnormality detection module configured to analyze a correlation between the collected information and a prescribed security policy to detect whether there is an abnormality sign in the control system.Type: GrantFiled: June 26, 2013Date of Patent: September 8, 2015Assignee: Electronics and Telecommunications Research InstituteInventors: Youngjun Heo, Seon-Gyoung Sohn, Dong Ho Kang, Byoung-Koo Kim, Jung-Chan Na, Ik Kyun Kim
-
Patent number: 8943586Abstract: Disclosed are methods of detecting a domain name server (DNS) flooding attack according to characteristics of a type of attack traffic. A method of detecting an attack by checking a DNS packet transmitted over a network in a computer device connected to the network, includes determining whether the number of DNS packets previously generated within a threshold time with the same type of message, the same specific address and the same field value as in the transmitted packet is greater than or equal to a given number, and determining the transmitted DNS packet as a packet related to the attack if the number of DNS packets previously generated within the threshold time is greater than or equal to the given number.Type: GrantFiled: June 21, 2012Date of Patent: January 27, 2015Assignee: Electronics and Telecommunications Research InstituteInventor: Byoung Koo Kim
-
Publication number: 20140380458Abstract: Disclosed is an apparatus for preventing illegal access of industrial control system and a method thereof in accordance with the present invention. The apparatus for preventing illegal access of industrial control system includes: a first interface communicating a packet by interoperating with a management network group that requests a control command; a second interface communicating a packet by interoperating with a control network group that receives a control command from the management network group and processes it; and a control device, which, when a packet flows therein from the management network group or the control network group, checks whether or not at least one filter rule is set and controls the packet flow between the management network group and the control network group using the filter where the rule is set.Type: ApplicationFiled: April 4, 2014Publication date: December 25, 2014Applicant: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTEInventors: Byoung-Koo KIM, Dong-Ho KANG, Seon-Gyoung SOHN, Young-Jun HEO, Jung-Chan NA
-
Publication number: 20140304817Abstract: A method for detecting a slow read DoS attack in a virtualized environment, the method comprising: receiving a connection request packet transmitted from a client to a server using a web protocol; checking whether the received packet is a TCP SYN packet or a packet of an HTTP GET request message; when it is checked that the received packet is the packet of the HTTP GET request message, detecting whether the received packet is a packet for the slow read DoS attack by analyzing a window size of the HTTP GET request message.Type: ApplicationFiled: January 14, 2014Publication date: October 9, 2014Applicant: Electronics and Telecommunications Research InstituteInventors: Byoung-Koo KIM, Yangseo CHOI, Ik Kyun KIM
-
Publication number: 20140298399Abstract: An apparatus for detecting an abnormality sign in a control system, the control system comprising control equipments, network equipments, security equipments or server equipments, the apparatus includes an information collection module configured to collect system information, network information, security event information or transaction information in interworking with a control equipments, network equipments, security equipments or server equipments. The apparatus includes storage module that stores the information collected by the information collection module. The apparatus includes an abnormality detection module configured to analyze a correlation between the collected information and a prescribed security policy to detect whether there is an abnormality sign in the control system.Type: ApplicationFiled: June 26, 2013Publication date: October 2, 2014Inventors: Youngjun HEO, Seon-Gyoung SOHN, Dong Ho KANG, Byoung-Koo KIM, Jung-Chan NA, Ik Kyun KIM
-
Publication number: 20140297004Abstract: A method for detecting an abnormal traffic on a control system protocol, includes: checking whether session information exists in a management table; adding a new entry to the management table; checking whether a transaction ID in a table entry is the same as that of the received MODBUS request message; and checking whether data and length thereof of the received MODBUS request message are the same as those in the table entry. Further, the method includes detecting an abnormal traffic; and updating the table entry with packet information of the MODBUS request message.Type: ApplicationFiled: July 2, 2013Publication date: October 2, 2014Inventors: Byoung-Koo KIM, Dong Ho KANG, Seon-Gyoung SOHN, Youngjun HEO, Jung-Chan NA, Ik Kyun KIM
-
Patent number: 8667585Abstract: Disclosed herein is a Transmission Control Protocol (TCP) flooding attack prevention method. The TCP flooding attack prevention method includes identifying the type of a packet received at an intermediate stage between a client and a server; determining the direction of the packet; defining a plurality of session states based on the type and the direction of the packet; detecting a TCP flooding attack by tracking the session states for each flow; and responding to the TCP flooding attack based on the type of the TCP flooding attack.Type: GrantFiled: November 2, 2011Date of Patent: March 4, 2014Assignee: Electronics and Telecommunications Research InstituteInventors: Seung-Yong Yoon, Byoung-Koo Kim
-
Publication number: 20130263268Abstract: A server receives a first echo request message which complies with an Internet control message protocol, extracts filtering information from hear information of the received first echo request message, and when a second echo request message which complies with the Internet control message protocol is received, compares header information of the received second echo request message and the extracted filtering information so as to determine whether to block an attacking packet for the received second echo request message. According to the present invention, the server blocks the attacking packet using the Internet control message protocol, thereby blocking a denial-of-service attack.Type: ApplicationFiled: December 14, 2011Publication date: October 3, 2013Applicant: Electronics and Telecommunications Reasearch InstituteInventors: Byoung-Koo Kim, Seung-Yong Yoon
-
Publication number: 20130031626Abstract: Disclosed are methods of detecting a domain name server (DNS) flooding attack according to characteristics of a type of attack traffic. A method of detecting an attack by checking a DNS packet transmitted over a network in a computer device connected to the network, includes determining whether the number of DNS packets previously generated within a threshold time with the same type of message, the same specific address and the same field value as in the transmitted packet is greater than or equal to a given number, and determining the transmitted DNS packet as a packet related to the attack if the number of DNS packets previously generated within the threshold time is greater than or equal to the given number.Type: ApplicationFiled: June 21, 2012Publication date: January 31, 2013Applicant: Electronics and Telecommunications Research InstituteInventor: Byoung Koo KIM
-
Patent number: 8365277Abstract: Enclosed are a signature string storage memory optimizing method, a signature string pattern matching method, and a signature matching engine. Signature is tokenized in units of substrings and the tokenized substrings are stored in an internal memory block and an external memory block to optimize a memory storage pattern. Therefore, matching of introduction data to signature patterns is effectively performed.Type: GrantFiled: December 10, 2008Date of Patent: January 29, 2013Assignee: Electronics and Telecommunications Research InstituteInventors: Byoung Koo Kim, Jin Tae Oh, Jong Soo Jang, Sung Won Sohn
-
Patent number: 8230503Abstract: A method and apparatus for extracting a windows executable file that can search for a pattern related to windows executable files among a large quantity of network packets using a hardware-based session tracking and pattern matching technology and that can extract all packets included in the corresponding session are provided. The method of extracting a windows executable file includes: collecting incoming packets having a payload according to a session of a reference packet having an MZ pattern; performing a portable executable (PE) pattern matching for the collected incoming packets; and forming a PE file based on at least one incoming packet satisfying the PE pattern matching.Type: GrantFiled: August 17, 2009Date of Patent: July 24, 2012Assignee: Electronics and Telecommunications Research InstituteInventors: Byoung Koo Kim, Seung Yong Yoon, Ik Kyun Kim, Jin Tae Oh, Jong Soo Jang, Hyun Sook Cho
-
Publication number: 20120167222Abstract: An apparatus for diagnosing malicious files includes a information transferring unit configured to receive information regarding a malicious file distributed in a management network and an execution file generated by assembling packets collected from the management network; an anti-virus engine configured to determine whether or not the execution file is malicious to generate information regarding a new malicious file; and a management unit configured to transfer the information regarding the malicious file and the information regarding the new malicious file to a terminal device on the management network through the information transferring unit.Type: ApplicationFiled: December 22, 2011Publication date: June 28, 2012Applicant: Electronics and Telecommunications Research InstituteInventors: Ik Kyun KIM, Yang-Seo CHOI, Byoung-Koo KIM, Seung Yong YOON, Youngjun HEO, Dae Won KIM, Il AHN CHEONG, Jintae OH, Jong Soo JANG
-
Publication number: 20120151584Abstract: Disclosed herein is a method for blocking a Denial-of-Service (DoS) attack. A server extracts a plurality of suspicious packets including data, length of which is equal to or greater than a preset length, from a plurality of received packets. The server determines a packet, which includes data composed of characters or character strings identical to each other, among the plurality of suspicious packets, to be an attack packet. The server blocks a packet corresponding to the attack packet. Accordingly, the present invention can block a DoS attack based on UDP flooding.Type: ApplicationFiled: December 13, 2011Publication date: June 14, 2012Applicant: Electronics and Telecommunications Research InstituteInventors: Byoung-Koo KIM, Seung-Yong Yoon
-
Publication number: 20120117646Abstract: Disclosed herein is a Transmission Control Protocol (TCP) flooding attack prevention method. The TCP flooding attack prevention method includes identifying the type of a packet received at an intermediate stage between a client and a server; determining the direction of the packet; defining a plurality of session states based on the type and the direction of the packet; detecting a TCP flooding attack by tracking the session states for each flow; and responding to the TCP flooding attack based on the type of the TCP flooding attack.Type: ApplicationFiled: November 2, 2011Publication date: May 10, 2012Applicant: Electronics and Telecommunications Research InstituteInventors: Seung-Yong Yoon, Byoung-Koo Kim
-
Publication number: 20100146621Abstract: A method and apparatus for extracting a windows executable file that can search for a pattern related to windows executable files among a large quantity of network packets using a hardware-based session tracking and pattern matching technology and that can extract all packets included in the corresponding session are provided. The method of extracting a windows executable file includes: collecting incoming packets having a payload according to a session of a reference packet having an MZ pattern; performing a portable executable (PE) pattern matching for the collected incoming packets; and forming a PE file based on at least one incoming packet satisfying the PE pattern matching.Type: ApplicationFiled: August 17, 2009Publication date: June 10, 2010Applicant: Electronics and Telecomminucations Research InstituteInventors: Byoung Koo Kim, Seung Yong Yoon, Ik Kyun Kim, Jin Tae Oh, Jong Soo Jang, Hyun Sook Cho
-
Patent number: 7735128Abstract: A method of storing a pattern matching policy and a method of controlling an alert message are provided.Type: GrantFiled: December 7, 2006Date of Patent: June 8, 2010Assignee: Electronics and Telecommunications Research InstituteInventors: Byoung Koo Kim, Kwang Ho Baik, Jin Tae Oh, Jong Soo Jang, Sung Won Sohn
-
Patent number: 7735137Abstract: A method and apparatus for storing an intrusion rule are provided. The method stores a new intrusion rule in an intrusion detection system having already stored intrusion rules, and includes: generating combinations of divisions capable of dividing the new intrusion rule into a plurality of partial intrusion rules; calculating the frequency of hash value collisions between each of the generated division combinations and the already stored intrusion rules; dividing the new intrusion rule according to the division combination which has the lowest calculated frequency of hash value collisions; and storing the divided new intrusion rule in a corresponding position of the intrusion detection system. According to the method and apparatus, the size of the storage unit occupied by the intrusion rule can be reduced, and by performing pattern matching, the performance of the intrusion detection system can be enhanced.Type: GrantFiled: July 10, 2006Date of Patent: June 8, 2010Assignee: Electronics and Telecommunications Research InstituteInventors: Kwang Ho Baik, Byoung Koo Kim, Jin Tae Oh, Jong Soo Jang, Sung Won Sohn
-
Publication number: 20090158431Abstract: There is provided a method of detecting a polymorphic shell code. The decoding routine of the polymorphic shell code is detected from received data. In order for the decoding routine to access the address of an encoded code, the address of a currently executed code is stored in a stack, the value is moved in a register table, and it is determined whether the value is actually used for operating a memory. Emulation is finally performed and the degree of correctness of detection is improved. Therefore, time spent on detecting the polymorphic shell code and an overhead are reduced and the correctness of detection is increased.Type: ApplicationFiled: December 12, 2008Publication date: June 18, 2009Applicant: Electronics and Telecommunications Research InstituteInventors: Dae Won KIM, Ik Kyun KIM, Yang Seo CHOI, Seung Yong YOON, Byoung Koo KIM, Jin Tae OH, Jong Soo JANG
-
Publication number: 20090158427Abstract: Enclosed are a signature string storage memory optimizing method, a signature string pattern matching method, and a signature matching engine. Signature is tokenized in units of substrings and the tokenized substrings are stored in an internal memory block and an external memory block to optimize a memory storage pattern. Therefore, matching of introduction data to signature patterns is effectively performed.Type: ApplicationFiled: December 10, 2008Publication date: June 18, 2009Inventors: Byoung Koo Kim, Jin Tae Oh, Jong Soo Jang, Sung Won Sohn