Abstract: Disclosed herein is a method for processing a security event in a container virtualization environment. The method may include collecting designated security events in a kernel space, storing the collected security events in a security event storage module in real time, and providing a security manager with the security event corresponding to a query request from a security event management module, among the security events stored in the security event storage module.

Abstract: Disclosed herein are an apparatus and method for analyzing malicious code in a multi-core environment. The apparatus for analyzing malicious code includes a core setting unit for setting at least one monitoring core, on which malicious code is to be monitored, among cores of a multi-core Central Processing Unit (CPU), and executing a monitoring program on the monitoring core, a behavioral information collection unit for, when execution cores that are not set as the monitoring core execute analysis target code, collecting pieces of behavioral information using the monitoring program and a hardware debugging device, and a storage unit for storing the behavioral information.

Abstract: Disclosed herein are an apparatus and method for analyzing malicious code in a multi-core environment. The apparatus for analyzing malicious code includes a core setting unit for setting at least one monitoring core, on which malicious code is to be monitored, among cores of a multi-core Central Processing Unit (CPU), and executing a monitoring program on the monitoring core, a behavioral information collection unit for, when execution cores that are not set as the monitoring core execute analysis target code, collecting pieces of behavioral information using the monitoring program and a hardware debugging device, and a storage unit for storing the behavioral information.

Abstract: A network intrusion detection apparatus and method that perform Perl Compatible Regular Expressions (PCRE)-based pattern matching on the payloads of packets using a network processor equipped with a Deterministic Finite Automata (DFA) engine. The network intrusion detection apparatus includes a network processor core for receiving packets from a network, and transmitting payloads of the received packets to a Deterministic Finite Automata (DFA) engine. A detection rule converter converts a PCRE-based detection rule, preset to detect an attack packet, into a detection rule including a pattern to which only PCRE grammar corresponding to the DFA engine is applied. The DFA engine performs PCRE pattern matching on the payloads of the packets based on the detection rule converted by the detection rule converter.

Abstract: A firewall policy inspection apparatus and method is provided. The firewall policy inspection apparatus includes an intrusion prevention rule obtainment unit for obtaining intrusion prevention rules from a target firewall policy. An anomaly rule detection unit detects an anomaly rule in a relationship between the intrusion prevention rules. A screen display unit displays an anomaly rule graph on a screen using results of the detection.

Abstract: A referer verification apparatus and method for controlling web traffic having malicious code are provided. In the referer verification method, whether a referer is present in a Hypertext Transfer Protocol (HTTP) packet is determined. If it is determined that the referer is present in the HTTP packet, Uniform Resource Locators (URLs) are extracted from a referer web page corresponding to the referer. The referer is verified based on a URL corresponding to a referer verification request received from a server and the extracted URLs. A Completely Automated Public Test to tell Computers and Humans Apart (CAPTCHA) verification procedure conducted by a user is performed based on results of the verification of the referer.

Abstract: A firewall policy inspection apparatus and method is provided. The firewall policy inspection apparatus includes an intrusion prevention rule obtainment unit for obtaining intrusion prevention rules from a target firewall policy. An anomaly rule detection unit detects an anomaly rule in a relationship between the intrusion prevention rules. A screen display unit displays an anomaly rule graph on a screen using results of the detection.

Abstract: A system and method for detecting network intrusion by using a network processor are provided. The intrusion detection system includes: a first intrusion detector, configured to use a first network processor to perform intrusion detection on layer 3 and layer 4 of a protocol field among information included in a packet header of a packet transmitted to the intrusion detection system, and when no intrusion is detected, classify the packets according to stream and transmit the classified packets to a second intrusion detector; and a second intrusion detector, configured to use a second network processor to perform intrusion detection through deep packet inspection (DPI) for the packet payload of the packets transmitted from the first intrusion detector. Thereby, intrusion detection for high-speed packets can be performed in a network environment.

Abstract: A network intrusion detection apparatus and method that perform Perl Compatible Regular Expressions (PCRE)-based pattern matching on the payloads of packets using a network processor equipped with a Deterministic Finite Automata (DFA) engine. The network intrusion detection apparatus includes a network processor core for receiving packets from a network, and transmitting payloads of the received packets to a Deterministic Finite Automata (DFA) engine. A detection rule converter converts a PCRE-based detection rule, preset to detect an attack packet, into a detection rule including a pattern to which only PCRE grammar corresponding to the DFA engine is applied. The DFA engine performs PCRE pattern matching on the payloads of the packets based on the detection rule converted by the detection rule converter.

Abstract: A mobile terminal having security diagnosis functionality and a method of making a diagnosis on the security of the mobile terminal are provided. The mobile terminal includes a system check unit, an interface unit, a blacklist check unit, and a security diagnosis unit. The system check unit collects the basic information of the mobile terminal by performing a system check on the mobile terminal. The interface unit provides the basic information of the mobile terminal to a user and receives a control command from the user. The blacklist check unit checks whether at least one application installed in the mobile terminal is present in a blacklist registered on a server. The security diagnosis unit checks whether an abnormality has occurred in the corresponding application based on results of the comparison between the basic information of the mobile terminal with preset abnormality detection reference information and the control command.

Abstract: An apparatus and method for detecting a Hyper Text Transfer Protocol (HTTP) botnet based on the densities of transactions. The apparatus includes a collection management unit, a web transaction classification unit, and a filtering unit. The collection management unit extracts metadata from HTTP request packets collected by a traffic collection sensor. The web transaction classification unit extracts web transactions by analyzing the metadata, and generates a gray list by arranging the extracted web transactions according to the frequency of access. The filtering unit detects an HTTP botnet by filtering the gray list based on a white list and a black list.

Abstract: An apparatus and method for controlling traffic based on a Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) are provided. The traffic control apparatus includes a traffic monitoring unit, a CAPTCHA verification unit, a list management unit, and a traffic control unit. The traffic monitoring unit monitors a packet between an internal network and an external network. The CAPTCHA verification unit, if packet information is not present in an access control list, sends a CAPTCHA request message to a client computer, receives a CAPTCHA response message, and verifies the CAPTCHA response message. The list management unit, if the packet information is present in the access control list, detects an access control policy corresponding to the packet information in the access control list. The traffic control unit controls traffic based the verification of the CAPTCHA response message and the control policy.

Abstract: A communication blocking control method includes receiving a communication blocking request from a terminal in an idle state in which it is difficult to find out whether information is leaked or not; registering a state of the terminal in a communication blocked list according to the communication blocking request; and blocking external communication of the terminal through a network.

Abstract: A referer verification apparatus and method for controlling web traffic having malicious code are provided. In the referer verification method, whether a referer is present in a Hypertext Transfer Protocol (HTTP) packet is determined. If it is determined that the referer is present in the HTTP packet, Uniform Resource Locators (URLs) are extracted from a referer web page corresponding to the referer. The referer is verified based on a URL corresponding to a referer verification request received from a server and the extracted URLs. A Completely Automated Public Test to tell Computers and Humans Apart (CAPTCHA) verification procedure conducted by a user is performed based on results of the verification of the referer.

Abstract: A mobile terminal having security diagnosis functionality and a method of making a diagnosis on the security of the mobile terminal are provided. The mobile terminal includes a system check unit, an interface unit, a blacklist check unit, and a security diagnosis unit. The system check unit collects the basic information of the mobile terminal by performing a system check on the mobile terminal. The interface unit provides the basic information of the mobile terminal to a user and receives a control command from the user. The blacklist check unit checks whether at least one application installed in the mobile terminal is present in a blacklist registered on a server. The security diagnosis unit checks whether an abnormality has occurred in the corresponding application based on results of the comparison between the basic information of the mobile terminal with preset abnormality detection reference information and the control command.

Abstract: A system and method for detecting network intrusion by using a network processor are provided. The intrusion detection system includes: a first intrusion detector, configured to use a first network processor to perform intrusion detection on layer 3 and layer 4 of a protocol field among information included in a packet header of a packet transmitted to the intrusion detection system, and when no intrusion is detected, classify the packets according to stream and transmit the classified packets to a second intrusion detector; and a second intrusion detector, configured to use a second network processor to perform intrusion detection through deep packet inspection (DPI) for the packet payload of the packets transmitted from the first intrusion detector. Thereby, intrusion detection for high-speed packets can be performed in a network environment.

Abstract: Provided are a method and system for supporting a simulated-exercise in a cyber space using a message. The system for supporting a simulated-exercise using a massage includes a simulated-exercise manager system for training trainees in a remote location connected through a network by transmitting a situation message for informing critical situations to the trainees and an automatic response message.