Abstract: In the present invention, by providing an apparatus for securing data comprising a memory for storing information for data processing, a processor configured to partition original data into a plurality of partial data and generate a plurality of divided data by randomly determining positions of each of the plurality of partial data within the original data, and a communication interface configured to transmit each of the plurality of divided data to each of a plurality of servers, respectively, if an attacker obtains a portion of the divided data, it prevents the entire original data from being restored, and the legitimate user can restore the original data accurately even if some divided data is corrupted, and provides an efficient data polymorphic dividing technique that can minimize the amount of calculation required to secure data.

Abstract: Disclosed herein is an apparatus for enhancing network security, which includes an information collection unit for collecting information about states of hosts that form a network and information about connectivity in the network; an attack surface analysis unit for analyzing attack surfaces by creating an attack graph using the information about the states and the information about connectivity; a security-enhancing strategy establishment unit for establishing a security-enhancing strategy based on the attack graph; and a security-enhancing strategy implementation unit for delivering a measure based on the security-enhancing strategy to a corresponding host, thereby taking a security-enhancing measure.

Abstract: Disclosed herein are an apparatus and method for generating and operating a dynamic Controller Area Network (CAN) Identifier (ID). The apparatus includes a priority ID generation unit for generating a priority ID that is a base ID, a dynamic ID generation unit for generating a dynamic ID that is dynamically changed, and a communication unit for transmitting/receiving a data frame in which a dynamic CAN ID including the priority ID and the dynamic ID is combined with data.

Abstract: A ransomware detection apparatus and an operation method thereof are provided. The ransomware detection apparatus may include a frequency converter receiving an OP code currently being executed in a CPU and converting a value of the OP code into a frequency domain to generate a first OP code frequency waveform, a memory storing a second OP code frequency waveform, which is a value obtained by converting the OP code corresponding to a ransomware encryption algorithm into a frequency domain, and a ransomware determiner comparing the first OP code frequency waveform with the second OP code frequency waveform to determine whether ransomware operates.

Abstract: A behavior-based malicious code detecting apparatus and method using multiple feature vectors is disclosed. A malicious code learning method may include collecting characteristic factor information when a training target process comprising a malicious code is executed, generating a feature vector for malicious code verification based on the collected characteristic factor information, learning the generated feature vector through a plurality of machine learning algorithms to generate a model of representing the malicious code and a model of representing a normal file, and storing the model of representing the malicious code and the model of representing the normal file generated through the learning.

Abstract: Disclosed herein are a stepping-stone detection apparatus and method. The stepping-stone detection apparatus includes a target connection information reception unit for receiving information about a target connection from an intrusion detection system (IDS), a fingerprint generation unit for generating a target connection fingerprint based on the information about the target connection, and generating one or more candidate connection fingerprints using information about one or more candidate connections corresponding to one or more flow information collectors, and a stepping-stone detection unit for detecting a stepping stone by comparing the target connection fingerprint, in which a maximum allowable delay time is reflected, with the candidate connection fingerprints.

Abstract: Disclosed herein are an integrated network data collection apparatus and method. The integrated network data collection apparatus includes a packet collection unit for collecting packets corresponding to one or more virtual machines included in a cloud server, a flow-processing unit for generating flow information based on the collected packets, a session-processing unit for generating session information based on the generated flow information, and a storage unit for storing network data including at least one of the generated flow information and the generated session information.

Abstract: An apparatus and method for visualizing data. The apparatus for visualizing data includes a behavior information collection unit for executing an application from which information is to be collected and collecting behavior information from a process of the executed application, a behavior feature extraction unit for extracting behavior features in an order in which the behavior information is called, a behavior sequence generation unit for generating a behavior sequence by arranging the behavior features in chronological order, and a behavior sequence visualization unit for visualizing the behavior sequence as a 3D sequence object.

Abstract: Disclosed is a method for detecting a cyberthreat through correlation analysis of security events, which includes extracting a false-positive data set by extracting, from source data, information about security events occurring during a predetermined time period based on a time at which erroneous detection occurred; extracting a true-positive data set by extracting, from the source data, information about security events occurring during the predetermined time period based on a time at which an intrusion threat was correctly detected; extracting a current data set by extracting information about security events occurring during the predetermined time period from data to be analyzed; generating event coincidence statistics by extracting a frequency of each security event in the respective data sets and by compiling statistics thereon; generating an event vector based on the event coincidence statistics; and performing intrusion threat detection through a vector space model based on the event vector.

Abstract: A computing device configured to execute an instruction set is provided. The computing device includes a system call hooker for hooking system calls that occur by the instruction set while the instruction set is executed, a category extractor for extracting a category to which each of the hooked system calls belongs with reference to category information associated with a correspondence relationship between a system call and a category, a sequence extractor for extracting one or more behavior sequences expressed in an N-gram manner from a full sequence of the hooked system calls with reference to the extracted category, and a model generator for generating a behavior pattern model of the system calls that occur when the instruction set is executed, based on a number of times that each of the extracted behavior sequences occurs.

Abstract: The present invention relates to an apparatus and a method for detecting a malware code by generating and analyzing behavior pattern. A malware code detecting apparatus includes a behavior pattern generating unit which defines a characteristic parameter which distinguishes and specifies behaviors of a malware code and normally executable programs, converts an API calling event corresponding to the defined characteristic parameter and generates a behavior pattern in accordance with a similarity for behaviors of converted API call sequences to store the behavior pattern in a behavior pattern DB; and a malware code detecting unit which converts the API calling event corresponding to the defined characteristic parameter when the target process is executed into the API call sequence and determines whether the behavior pattern is a malware code in accordance with a similarity for behaviors of the converted API call sequence and the sequence stored in the behavior pattern DB.

Abstract: Disclosed herein are an apparatus and method for detecting a Distributed Reflection Denial of Service (DRDoS) attack. The DRDoS attack detection apparatus includes a network flow data reception unit for receiving network flow data from network equipment, a session type determination unit for determining a session type of the received network flow data, a host type determination unit for determining a type of host corresponding to the network flow data based on the session type, an attack method determination unit for determining an attack method corresponding to the network flow data, a protocol identification unit for identifying a protocol of the network flow data, and an attack detection unit for detecting a DRDoS attack based on the session type, the host type, the attack method, and the protocol.

Abstract: The present invention relates to an apparatus and a method for detecting a malware code by generating and analyzing behavior pattern. A malware code detecting apparatus includes a behavior pattern generating unit which defines a characteristic parameter which distinguishes and specifies behaviors of a malware code and normally executable programs, converts an API calling event corresponding to the defined characteristic parameter and generates a behavior pattern in accordance with a similarity for behaviors of converted API call sequences to store the behavior pattern in a behavior pattern DB; and a malware code detecting unit which converts the API calling event corresponding to the defined characteristic parameter when the target process is executed into the API call sequence and determines whether the behavior pattern is a malware code in accordance with a similarity for behaviors of the converted API call sequence and the sequence stored in the behavior pattern DB.

Abstract: Disclosed is an apparatus of detecting a distributed reflection denial of service attack, including: a monitoring unit obtaining flow information including an IP and a port number of a source, an IP and a port number of a destination of data, and the number and the sizes of packets; a memory unit storing a flow table in which the flow information of the data, the packet number and the packet size are input; and a control unit detecting the DRDoS attack by using at least one of the number and the size of packets of the first entry and the flow information of the first entry.

Abstract: The present invention relates to a system and method for interlocking intrusion information. An intrusion information interlocking system includes at least one interlocking client which is connected to a client system which collects session information of intrusion in different network domains to transmit the intrusion information collected by the client system to the control system and requests analysis information on the intrusion information in accordance with a request of the client system to provide the analysis information to the client system, and an interlocking server which is connected to a control system which analyzes intrusion information to transmit the intrusion information of different network domains provided from one or more interlocking clients to the control system, stores the intrusion analysis information from the control system, and shares the stored intrusion analysis information with the interlocking client in accordance with the request of the interlocking client.

Abstract: Disclosed are an apparatus and method for reconstructing a transmitted file with high performance in real time, which select analysis target packets for reconstruction by first checking using hardware whether data file-related information is present in packets transmitted via large-capacity traffic over a broadband network, and which reconstruct a file in real time only from the selected analysis target packets. The file reconstruction apparatus for reconstructing a data file from packets on a network includes a packet monitoring unit for extracting packets on the network, a collected packet selection unit for determining whether, for the extracted packets, each packet is a reconstruction target based on flow information, and selecting a reconstruction target packet, and a file reconstruction unit for performing file reconstruction by extracting data from the reconstruction target packet and by storing the extracted data as data of a reconstructed file in a relevant flow.

Abstract: Disclosed herein are a network traffic recording apparatus and method. The network traffic recording apparatus includes a data partitioning unit for generating a single data block from original data corresponding to a certain unit and partitioning the single data block into preset units, a data integrity verification information generation unit for generating data integrity verification information for each data block, and a data redundancy elimination encoding unit for performing redundancy elimination on data, which is a target of redundancy elimination, for each data block.

Abstract: A behavior-based malicious code detecting apparatus and method using multiple feature vectors is disclosed. A malicious code learning method may include collecting characteristic factor information when a training target process comprising a malicious code is executed, generating a feature vector for malicious code verification based on the collected characteristic factor information, learning the generated feature vector through a plurality of machine learning algorithms to generate a model of representing the malicious code and a model of representing a normal file, and storing the model of representing the malicious code and the model of representing the normal file generated through the learning.

Abstract: The method for tracking a cyber hacking is provided. The method of connection fingerprint generation and stepping-stone traceback based on NetFlow includes receiving a traceback request including IP packet attribute information of a victim and an attacker which corresponds to a target connection that is the last connection on a connection chain, generating a fingerprint for an associated connection based on the IP packet attribute information and requesting a NetFlow collector for relevant information, detecting a stepping-stone connection to the target connection which is generated at the time of generation of the fingerprint and instructing to check whether sorted candidate connections are present on the same connection chain as the target connection, and determining an order of the candidate connections based on an attacker host when the candidate connections are determined to be present on the same connection chain as the target connection.

Abstract: An apparatus and method for detecting abnormal connection behavior are disclosed. The apparatus for detecting abnormal connection behavior includes a data extraction unit, a data storage unit, and a detection unit. The data extraction unit collects network data transmitted and received over a network including a plurality of hosts, and extracts data required for the detection of abnormal connection behavior from the network data. The data storage unit stores the extracted data required for the detection of abnormal connection behavior. The detection unit detects abnormal connection behavior based on characteristic factors corresponding to the stored data required for the detection of abnormal connection behavior and characteristic factors corresponding to malicious behavior.