Abstract: Disclosed herein are an apparatus and method for distributed consensus in an environment in which a fraction of Byzantine nodes is dynamically changed. The distributed consensus apparatus in a dynamic Byzantine fraction environment includes one or more processor and executable memory for storing at least one program executed by the one or more processors. The at least one program is configured to calculate a stochastic variable for the probability that a preset fraction of Byzantine nodes is changed using the probability that at least one of consensus candidate nodes corresponding to a preset consensus quorum is changed to a Byzantine node and to perform distributed consensus using the stochastic variable in the dynamic Byzantine fraction environment.

Abstract: A block consensus method of a computing device is provided. The computing device receives a delegate request message including transaction hashes from each of a plurality of nodes, generates a prepared block including transaction hashes based on the delegate request message, and transmits a prepare message including the prepared block to the nodes. The computing device receives a commit message including a proof of consensus on a validity of the prepared block from the nodes, and transmits a reply message including a final block decided based on the commit message.

Abstract: An agreement method of a block in a blockchain network by a chair node includes: receiving, from a plurality of congress nodes in a congress, information on an exceptional situation which occurred during agreement processes of a block; transmitting an empty block agreement start message including information on the exceptional situation and verification data for the exceptional situation to the plurality of congress nodes; generating a candidate empty block which does not include a transaction when receiving a delegate request message from at least two congress nodes among the plurality of congress nodes and transmitting the candidate empty block to committee nodes; and generating a final empty block when the candidate empty block is verified by the committee nodes and transmitting the final empty block to all nodes in the blockchain network is provided.

Abstract: A method and apparatus for protecting an application layer in a computer network system. The method includes creating a session between a client and a data provider in response to a session connection request from the client, and determining the client as an application layer attacking client when the client generates a session termination request before the data provider transmits to the client a response packet to a data request from the client under the created session.

Abstract: An apparatus for diagnosing malicious files includes a information transferring unit configured to receive information regarding a malicious file distributed in a management network and an execution file generated by assembling packets collected from the management network; an anti-virus engine configured to determine whether or not the execution file is malicious to generate information regarding a new malicious file; and a management unit configured to transfer the information regarding the malicious file and the information regarding the new malicious file to a terminal device on the management network through the information transferring unit.

Abstract: An apparatus for detecting a distributed denial of service (DDoS) attack includes: a monitoring unit for monitoring multiple GET requests and responses transmitted and received depending on a session establishment between a client and a server; and an attack detection unit for analyzing the monitored multiple GET requests and responses between the client and the server to detect a traffic of the DDoS attack against the server.

Abstract: A method and apparatus for protecting an application layer in a computer network system. The method includes creating a session between a client and a data provider in response to a session connection request from the client, and determining the client as an application layer attacking client when the client generates a session termination request before the data provider transmits to the client a response packet to a data request from the client under the created session.

Abstract: A data hashing method, a data processing method, and a data processing system using a similarity-based hashing (SBH) algorithm in which the same hash value is calculated for the same data and the more similar data, the smaller difference in the generated hash values. The data hashing method includes receiving computerized data, and generating a hash value of the computerized data using the SBH algorithm in which two data are the same if calculated hash values are the same and two data are similar if the difference of calculated hash values is small, wherein a search, comparison, and classification of data may be quickly processed within a time complexity of O(1) or O(n) since the similarity/closeness of data content are quantified by component values for each of the respective corresponding generated hash values.

Abstract: In a real-time network attack pattern detection system and method, a common pattern is detected in real time from packets, which are suspected to be a network attack such as Worm, to effectively block the attack. The system includes: a suspicious packet detector for classifying a suspicious attack packet from all input packets; a first data delaying unit for receiving the input packet from the suspicious packet detector to output an one-clock delayed data; a second data delaying unit for receiving an output signal from the first data delaying unit to output an one-clock delayed data; a hash key generator for receiving an output data of the suspicious packet detector, an output data of the first data delaying unit and an output data of the second data delaying unit to generate a hash key; a hash table for storing a lookup result obtained by the hash key generated from the hash key generator; and an existence & hit checker for checking the lookup result of the hash table.

Abstract: The present invention relates to a network intrusion detection and prevention system. The system includes: a signature based detecting device; an anomaly behavior based detecting device; and a new signature creating and verifying device disposed between the signature based detecting device and the anomaly behavior based detecting device, wherein if the anomaly behavior based detecting device detects network-attack-suspicious packets, the new signature creating and verifying device collects and searches the detected suspicious packets for common information, and then creates a new signature on the basis of the searched common information and at the same time, verifies whether or not the created new signature is applicable to the signature based detecting device, and then registers the created new signature to the signature based detecting device if it is determined that the created new signature is applicable.

Abstract: A trap matrix searches the entire contents of a data stream for a pattern that matches the pattern for a search term. In those circumstances where there is a match between patterns of the data stream and the search term, the method and system can proceed to an exact match operation. In particular, a pointer matrix and a corresponding active control matrix are generated according to a set of terms in a rule table. Data is sequenced the trap matrix according to the hierarchy of its trap elements. The trap elements perform a pattern match check between the sequenced data stream and any search term in the set of terms in the rule table. Results from a positive pattern match are preferably communicated from the matching trap element to an exact match lookup.

Abstract: An apparatus and method for performing packet header lookup based on sequential lookup is provided. A header analyzer separates a header from a packet received via a network and outputs a lookup sequence. A unit lookup unit looks up matching the header combination rules with each field to be analyzed and input from the header analyzer based on the lookup sequence input from the header analyzer and outputs a match signal and a match address. A rule combination memory stores identification information for the header combination rules. A sequence combination memory stores lookup sequence information and sequence combination information. A rule combination unit generates match results based on the match signal input from the unit lookup unit and data read from the rule combination memory and the sequence combination memory.

Abstract: Provided is a security method and apparatus for supporting IPv4 and IPv6. The security apparatus includes a packet classifier classifying an IPv4 packet and an IPv6 packet based on version information in header information of an input IP packet, a key generator generating header information corresponding to each of the classified IPv4 and IPv6 packets and generating a discrimination key corresponding to each of the classified IPv4 and IPv6 packets based on the generated header information, and a lookup engine comprising a first bank in which a security policy for IPv4 packets is established and a second bank in which a security policy for IPv6 packets is established, by which the first bank and the second bank are searched using the discrimination key corresponding to each packet.

Abstract: Provided are an apparatus and a method for data encryption using a secure memory, and more particularly, to an apparatus and a method for high-speed, large-volume data encryption using a security function included in the secure memory in response to an encryption/decryption request of a user application program. Conventional data encryption methods perform data encryption using software or hardware including a peripheral component interconnect (PCI) bus. However, the conventional data encryption methods do not satisfy speed-sensitive applications. To improve this problem, the present invention provides an apparatus and a method for high-speed, large-volume data encryption using a security function of a memory.

Abstract: A method and apparatus for automatically generating a signature used in a security system are provided. The apparatus and method include a configuration for combining a plurality of substrings extracted from a packet and generating a substring set; a configuration for examining the attacking characteristic of a packet having a substring set and confirming whether or not the substring can be used as a signature for detecting an attacking packet; and a configuration for optimization so as to increase the distinction and storing efficiency of a signature.

Abstract: Provided are a data hashing method, a data processing method, and a data processing system using a similarity-based hashing (SBH) algorithm in which the same hash value is calculated for the same data and the more similar data, the smaller difference in the generated hash values. The data hashing method includes receiving computerized data, and generating a hash value of the computerized data using the SBH algorithm in which two data are the same if calculated hash values are the same and two data are similar if the difference of calculated hash values is small. Therefore, a search, comparison, and classification of data can be quickly processed within a time complexity of O(1) or O(n) since the similarity/closeness of data content are quantified by that of the corresponding hash values.

Abstract: The present invention relates to a real-time network attack pattern detection system and a method thereof in which a common pattern is detected in real time from packets, which are suspected to be a network attack such as Worm, to effectively block the attack.

Abstract: The present invention relates to a network intrusion detection and prevention system. The system includes: a signature based detecting device; an anomaly behavior based detecting device; and a new signature creating and verifying device disposed between the signature based detecting device and the anomaly behavior based detecting device, wherein if the anomaly behavior based detecting device detects network-attack-suspicious packets, the new signature creating and verifying device collects and searches the detected suspicious packets for common information, and then creates a new signature on the basis of the searched common information and at the same time, verifies whether or not the created new signature is applicable to the signature based detecting device, and then registers the created new signature to the signature based detecting device if it is determined that the created new signature is applicable.

Abstract: A trap matrix searches the entire contents of a data stream for a pattern that matches the pattern for a search term. In those circumstances where there is a match between patterns of the data stream and the search term, the method and system can proceed to an exact match operation. In particular, a pointer matrix and a corresponding active control matrix are generated according to a set of terms in a rule table. Data is sequenced the trap matrix according to the hierarchy of its trap elements. The trap elements perform a pattern match check between the sequenced data stream and any search term in the set of terms in the rule table. Results from a positive pattern match are preferably communicated from the matching trap element to an exact match lookup.

Abstract: A trap matrix searches the entire contents of a data stream for a pattern that matches the pattern for a search term. In those circumstances where there is a match between patterns of the data stream and the search term, the method and system can proceed to an exact match operation. In particular, a pointer matrix and a corresponding active control matrix are generated according to a set of terms in a rule table. Data is sequenced through the trap matrix according to the hierarchy of its trap elements. The trap elements perform a pattern match check between the sequenced data stream and any search term in the set of terms in the rule table. Results from a positive pattern match are preferably communicated from the matching trap element to an exact match lookup.