Abstract: Provided is a violation information management module configuring a violation information intelligence analysis system of an accumulated and integrated intelligence system (AEGIS), including a violation incident association information collection unit configured to analyze information received from a violation incident association information collection system and log the analyzed information, a violation information ID management unit configured to query a violation information DB about an ID of violation information and issue an ID to violation information to which an ID has not been assigned as a result of the query, and a violation information management unit configured to query the violation information DB about raw data or relationship information or store raw data or relationship information in the violation information DB and to query the violation information DB about information derived based on an analysis base defined by a system or administrator.

Abstract: Provided is a violation information intelligence analysis system configuring an AEGIS along with a violation incident association information collection system, including a violation information management module configured to manage information and violation information intelligence analysis-related information received from the violation incident association information collection system, a collection information analysis module configured to extract a violation information ID based on the received information and to extract a relationship between the violation information ID and raw data, an intelligence generation and management module configured to generate intelligence based on a policy stored in the violation information intelligence analysis system in response to an intelligence generation request, convert a format of the intelligence in order to externally transfer the intelligence, and store history information, and an intelligence analysis module configured to support an in-depth information (N-dep

Abstract: Provided is a mechanism capable of assigning at least one index (ID) to violation abuse resources, violation association information, and violation information by taking into consideration organic relationships between the violation abuse resources, the violation association information, and the violation information when the generated violation abuse resources, the violation association information, and the violation information are collected through an external violation sharing channel or when they are collected or queried and of managing the generated violation abuse resources, the violation association information, and the violation information.

Abstract: A system and method for analyzing mobile cyber incidents that checks whether codes attacking the weaknesses of mobile users are inserted into collected URLs and whether applications are downloaded and automatically executed, without the agreement of users, so that if the mobile cyber incidents are analyzed through the manual analysis of a manager, the applications to be analyzed manually can be reduced.

Abstract: A method for detecting mobile cyber incidents includes: allowing a mobile incident collection server to determine whether new text is received; extracting the text original hash from the received new text by means of the mobile incident collection server; allowing the mobile incident collection server to determine whether attached file exists on the basis of the extracted text original hash; if the attached file exists, extracting the attached file by means of the mobile incident collection server; and storing and managing the APP information of the extracted attached file as mobile cyber incident information in the mobile incident collection server.

Abstract: A system for detecting mobile cyber incidents includes: a mobile incident collection server adapted to collect text messages sent through communication company servers to produce text message detection information, to collect URL information based on real-time search words provided by search portals to produce URL detection information, and to collect basic information of application files being sold in application market servers to produce APK detection information; and a detection information DB adapted to receive, store and manage the text message detection information, the URL detection information and the APK detection information produced from the mobile incident collection server.

Abstract: A system and method for detecting final distribution and landing sites of a malicious code. The method extracts and collecting new article URLs and advertisement banner URLs by inspecting a main page of a press company; filters malicious-suspected URLs suspicious of hiding the malicious code from the new article URLs and the advertisement banner URLs; collects files created when the malicious-suspected URLs are visited, through visit inspection; self-inspects the created files collected through the created file collection using a commercial vaccine; and traces, if the malicious code is detected in the created file, the final distribution and landing sites distributing the detected malicious code.

Abstract: A method for detecting mobile cyber incidents includes: allowing a mobile incident collection server to determine whether new text is received; extracting the text original hash from the received new text by means of the mobile incident collection server; allowing the mobile incident collection server to determine whether attached file exists on the basis of the extracted text original hash; if the attached file exists, extracting the attached file by means of the mobile incident collection server; and storing and managing the APP information of the extracted attached file as mobile cyber incident information in the mobile incident collection server.

Abstract: A system for analyzing large-scale malicious codes includes a malicious code management server dividing suspected malicious traffic collected into a plurality of first suspected malicious executable files and transmitting the plurality of first suspected malicious executable files to at least one or more virtualization analysis servers; and the at least one or more virtualization analysis servers executing the plurality of first suspected malicious executable files through a plurality of virtualization analysis agents load-balanced correspondingly to the plurality of first suspected malicious executable files and extracting first API call information called by malicious codes in user level and in kernel level.

Abstract: A system for detecting malicious codes based on API includes: a malicious code management server storing first suspected malicious executable files extracted from traffic to be analyzed collected or inputted; and a virtualization analysis server executing the first suspected malicious executable files received from the malicious code management server, extracting first API call information called by malicious codes in user level and in kernel level, and transmitting the extracted first API call information to the malicious code management server.

Abstract: A system for detecting mobile cyber incidents includes: a mobile incident collection server adapted to collect text messages sent through communication company servers to produce text message detection information, to collect URL information based on real-time search words provided by search portals to produce URL detection information, and to collect basic information of application files being sold in application market servers to produce APK detection information; and a detection information DB adapted to receive, store and manage the text message detection information, the URL detection information and the APK detection information produced from the mobile incident collection server.

Abstract: A system and method for analyzing mobile cyber incidents that checks whether codes attacking the weaknesses of mobile users are inserted into collected URLs and whether applications are downloaded and automatically executed, without the agreement of users, so that if the mobile cyber incidents are analyzed through the manual analysis of a manager, the applications to be analyzed manually can be reduced.

Abstract: A detection system of a suspicious malicious website using the analysis of a JavaScript obfuscation strength, which includes: an entropy measuring processor of measuring an entropy of an obfuscated JavaScript present in the website, a special character entropy, and a variable/function name entropy; a frequency measuring processor of measuring a specific function frequency, an encoding mark frequency and a % symbol frequency of the JavaScript; a density measuring processor of measuring the maximum length of a single character string of the JavaScript; and a malicious website confirming processor of determining whether the relevant website is malicious by comparing an obfuscation strength value, measured by the entropy measuring processor, the frequency measuring processor and the density measuring processor, with a threshold value.

Abstract: Disclosed is a method of inspecting mass websites at a high speed, which visits and inspects the mass websites at a high speed and, at the same time, correctly detects unknown attacks, detection avoidance attacks and the like and extracts URLs related to vulnerability attacks. The method of inspecting mass websites at a high speed includes the steps of: simultaneously visiting, if a list of inspection target websites is received, a plurality of inspection target websites using multiple browsers; inspecting whether or not malicious code infection is attempted at the plurality of inspection target websites visited through the multiple browsers; extracting a malicious website where the attempt of malicious code infection is generated among the plurality of inspection target websites; and visiting the malicious website and tracing a malicious URL distributing a malicious code.

Abstract: Disclosed is a method of inspecting mass websites by visiting, which inspects the mass websites by visiting at a high speed using multiple browsers and multiple frames. The method of inspecting mass websites includes the steps of: simultaneously visiting, if a list of inspection target websites is received, a plurality of inspection target websites using multiple browsers; inspecting whether or not a malicious code infection attack is generated at the plurality of inspection target websites visited through the multiple browsers; and tracing, if the malicious code infection attack is detected among the plurality of inspection target websites, a malicious website through revisit inspection using a tree search algorithm.

Abstract: Disclosed is a method of determining whether or not a website is malicious at a high speed, which determines unknown attacks, detection avoidance attacks and the like at a high speed when the website is inspected by visiting. The method of determining whether or not a website is malicious at a high speed includes the steps of: simultaneously visiting, if a list of inspection target websites is received, a plurality of inspection target websites using multiple browsers; and grasping whether or not malicious code infection is attempted through a correlation analysis of behavior information created when the plurality of inspection target websites is visited through the multiple browsers.

Abstract: A system and method for detecting final distribution and landing sites of a malicious code. The method extracts and collecting new article URLs and advertisement banner URLs by inspecting a main page of a press company; filters malicious-suspected URLs suspicious of hiding the malicious code from the new article URLs and the advertisement banner URLs; collects files created when the malicious-suspected URLs are visited, through visit inspection; self-inspects the created files collected through the created file collection using a commercial vaccine; and traces, if the malicious code is detected in the created file, the final distribution and landing sites distributing the detected malicious code.

Abstract: Disclosed is a system for identifying malicious codes of high risk. The system includes a statistical data creation module for creating statistical data by collecting and processing malicious codes by channel, ranking, period, type, re-infection and vaccine diagnosis; a trend data creation module for creating trend data by processing the collected malicious codes by channel, field and type; a malicious code filtering module for extracting the malicious code of high risk from the collected malicious codes based on priority information including a URL type, the number of distribution sites, the number of landing sites, a vaccine diagnosis rate and the number of reports; and a database for processing and storing the statistical data, the trend data and the malicious codes of high risk in a form of a graph, a pie chart and a table.

Abstract: A system and method for periodically inspecting malicious code distribution and landing sites, which receives a malicious-suspected URL from a management server; collects a file which is created when the malicious-suspected URL is connected and self-inspecting existence of the malicious code in the collected file using a commercial vaccine; traces, if a malicious code is detected in the collected file, a final distribution site distributing the detected malicious code; confirms information on a landing site connected to the final distribution site and registering the final distribution site and the landing site in a landing/distribution site database; confirms whether or not the final distribution site and the landing site registered in the landing/distribution site database are connectible; and updates the landing/distribution site database according to whether or not the final distribution site and the landing site are connectible.

Abstract: An apparatus and method for effectively tracking a network path by using packet information generated when visiting a Web page are provided. According to embodiments of the invention, referrer information, seed information, and arrival information are extracted by using HTTP packet information generated while a particular Web page is being executed, whereby an infection path of malicious codes generated in several Web pages can be checked, thus preventing infection of a malicious code generated in Web pages.