Abstract: A method for dynamically changing an intrusion detection rule in a kernel level intrusion detection system is disclosed. The method includes the steps of: a) generating a replica of the intrusion detection rule in a kernel area; b) changing the replica of the intrusion detection rule according to a request of changing the intrusion detection rule from the kernel area; and c) changing a currently applied intrusion detection rule by exchanging a value of a pointer representing the intrusion detection rule with a value of a pointer representing the changed replica of the intrusion detection rule.

Abstract: A network correction security system. The network correction security system connected between a network node and a security-related external system, detects attacks on the network node, corrects weak parts of the performance of the network node, collects information for improving the security performance of the network node from a security-related external system, analyzes the information, monitors principal resources of the network node to detect a fault, and removes the fault according to a measure corresponding to a grade of the fault. The network correction security system carries out a recovery process when the fault has not been corrected, and recovers the functions of the network node according to a recovery mechanism when the fault has not been removed after the recovery process.

Abstract: Disclosed is an integrated security information management system and method.

Abstract: Provided are an apparatus and method for cryptographing and/or deciphering an image. The apparatus includes an image segmenting unit, a random image generating unit, a cryptographing unit, and a phase card generating unit. The image segmenting unit segments an input binary image into images. The random image generating unit generates as many random images as the segmented images. The cryptographing unit performs XOR operations on the segmented images and the random images on a one-to-one basis to produce as many cryptographed images as the segmented images. The phase card generating unit assigns phase values of &pgr; and 0 to black and white pixels of the cryptographed images to generate phase cards corresponding to the cryptographed images.

Abstract: The AAA client generates accounting data, transmits an accounting data transmission request message to the AAA server, and then receives a response message to the accounting data transmission request message from the AAA server. If receiving a transmission failure response message for the accounting data from the AAA server, the AAA client stores accounting data generated after receiving the transmission failure response message, and if an amount of the stored accounting data is increased to a certain limit, the AAA client sets an identifier for a batch accounting application in the accounting data and transmits an accounting data transmission request message, including stored batch accounting data and the session information, to the AAA server. The AAA server confirms the identifier and the transmission request message and searches the accounting record for session information mapped to the session information included in the ACR message.

Abstract: A system for defending against a distributed denial-of-service attack includes an intrusion detection system, an active security management system and an active security node. The intrusion detection system generates alert data if a denial-of-service attack is detected. The active security management system manages a domain, analyzes the alert data, generates and transmits a backtracking sensor in a case of the distributed denial-of-service attack, transmits mobile sensors to a host backtracked by the backtracking sensor to remove a master or an agent program within the host; and generates and transmits a backtracking sensor by using an IP address of a host that has transmitted a packet to the removed master or agent program. The active security node executes the transmitted backtracking sensor to backtrack an attacking host of the distributed denial-of-service attack and, if the backtracked host is determined as a real attacker, intercepts a traffic generated from the real attacker.

Abstract: An apparatus for providing a trusted channel among secure operating systems (OSs) to which a mandatory access control (MAC) policy is applied includes on a data transmission side a trusted channel sub system, a MAC module and a kernel memory. The apparatus further includes on a data reception side a trusted channel system and a kernel memory. By using the apparatus, the contents of data can be prevented from being exposed even in case the packet is intercepted while being transmitted since the packet is encrypted. Furthermore, even though the contents of the data packet are replaced with malicious contents, such modulation of data can be detected by examining the integrity of the packet through the use of authentication data.

Abstract: There are provided an apparatus and method for transmitting data in a network system using network address translation. The method for transmitting data includes the steps of receiving a global network address corresponding to a local network address from a router using network address translation; encoding data using the global network address; and transmitting the encoded data to an external host on the global network via the router. Since the network address to be translated through the network address translation can be anticipated and substituted in real time during the transmission of the data, a variety of security services can be provided without significant modifications to the existing system, and accordingly, it is anticipated that the Internet protocol version 6 can be increasingly used.

Abstract: A network using an open shortest path first (OSPF) protocol includes a routing table for transferring an active packet; and a plurality of active nodes. The plurality of active nodes generates an opaque link state advertisement (LSA) having active network topology information and floods the generated opaque LSA to nodes through the OSPF domain. The active nodes also receives an opaque LSA transferred from the nodes and, then, updates the routing table for transferring the active packet based on the received opaque LSA.

Abstract: Disclosed are a system and method of sharing intrusion detection information detected at different networks and tracking the intrusion, to thereby defense against the intrusion on a network to which an intruder belongs, and a computer-readable medium storing a program for implementing the above method therein. The system detects an intrusion through the analysis of an input packet, adds information associated with the intrusion into the packet, creates an active packet and transmits the active packet to an address of an intruder, which transmitted the packet. Thereafter, the system tracks the intrusion, for all routes through which the intruder passed based on the active packet, and filters the packet associated with the intruder for the isolation thereof.

Abstract: Disclosed is a network-based attack tracing system and method using a distributed attack detection agent and manager system that can detect and trace an attack path of a hacker in real time on the whole network using distributed network-based attack detection agent, request manager, and reply manager. The agent detects an attack using a network-based intrusion detection system (NIDS), analyzes an alarm log that is judged to be the attack, changes the analyzed alarm log into attack information, and transmits the attack information to the request manager. The request manager performs a search of an attack IP based on the attack information received from the agent, stores a result of search in a tree structure, and if a final search is completed, extracts a hacking path using a binary search tree (BST) algorithm.

Abstract: A network security policy is represented, stored and edited by using a rule object, a condition object, an action object, and their associations. The condition object is a one-packet-condition object, a repeated-packet-condition object or a linear-packet-condition object. The action object is an alert-action object, a packet-drop-action object, a packet-admission-action object, a session-drop-action object, a session-admission-action object, a session-logging-action object, a traceback-action object or an ICMP-unreachable-message-sending-action object.

Abstract: A method for controlling an Internet information security system of a sender, for packet security in an IP level, is provided. It is determined whether to select security services of packets by referring to security policy database and security association database. Security association is negotiated with a key exchange server of a receiver. The negotiated security association is stored in a key management server. A security policy related with the security association is linked. A packet is sent by using the linked security policy and the security association.

Abstract: An intrusion detection method by adaptive rule estimation in a network-based intrusion detection system (NDS) is disclosed. The method includes collecting a packet on a network and searching for an original rule most similar to the collected packet from a rule database in which a rule for intrusion detection is stored, and judging whether a hacker intrudes by estimating a changed position of the collected packet from the original rule. Accordingly, it is possible to prevent an indirect attack of a hacker using a packet whose number of bits is changed due to deletion/insertion of characters from/into the packet.

Abstract: An asynchronous transfer mode (ATM) layer function processing apparatus with an enlarged structure is disclosed including: an ATM layer receiving cell processor for storing a cell start signal and cell input data extracted by use of a cell read clock in a buffer when a cell transmissible signal is received from an input signal of a subscriber physical layer function processor, extracting a flag according to the number of stored cells, and performing a multiplexing operation according to a scheduling algorithm using a cell interrupt signal and the extracted flag; a processor interface for forming a cell from data received from a microprocessor, storing the cell in a buffer, generating the cell interrupt signal, and controlling each constituent of the ATM layer function processing apparatus; an ATM layer transmitting cell processor for performing an input cell routing function according to an output port identifier value when a corresponding routing value and a match signal are generated from a connection table