Abstract: Provided is an eBPF-based hot patch engine device for protecting kernel vulnerabilities. The eBPF-based hot patch engine device comprises a container-aware code generating unit for generating a container-aware code for identifying a target container, to which a hot patch is attached; and a hot patch configuring unit for configuring an eBPF-based hot patch code for attaching a hot patch to the target container based on the container-aware code. Accordingly, it is possible to prevent attacks based on CVEs, which are known vulnerabilities for container systems, by hot patching kernel-related CVEs at runtime without rebooting and freezing.

Abstract: Provided is a method for detecting a synthetic voice based on a biological sound, the method comprises receiving an audio stream; extracting a biological feature vector corresponding to a meaningless voice from the audio stream; extracting a synthetic voice feature vector from the audio stream; combining the biological feature vector and the synthetic voice feature vector to generate a combined feature vector; and determining whether the audio stream is a synthetic voice based on the combined feature vector. Accordingly, it is possible to detect a synthetic voice at a lower computational cost than a conventional neural network that detects a synthetic voice by learning the correlation between frames.

Abstract: Provided is a dynamic security policy enforcement system for a container system. The dynamic security policy enforcement system comprises a policy management unit for generating and managing a security policy for a container based on a structured format including a set of rules of a predetermined condition; a policy enforcement unit for checking the set of rules when the container requests a system call, changing the security policy of the structured format into a code in a preset format, and transferring the policy changed into the code to a kernel space; and a policy operation decision unit for enforcing the policy received from the policy enforcement unit in the kernel space based on a policy enforcement program that hooks the system call and generating a return value for performing a predetermined operation.

Abstract: Provided is a resource monitoring apparatus including a log generation unit for extracting a method requested from a hardware abstraction layer and generating a log; a log classification unit for classifying the generated log according to a type of an interface connected to the method; and a log determination unit for identifying a malicious activity from the classified log based on pattern information of the log set differently depending on the type of the interface.

Abstract: Provided is a design method for sharing a profile in a container environment, including: extracting a sensitive context defined as information related to system-based access control or a sandboxing policy and an insensitive context defined as information unrelated to security for a profile provided by a developer; extracting the sensitive context and the insensitive context for the profile provided by a host; fetching a max configuration for the sensitive and insensitive contexts from each image layer of the developer; and generating a final profile that is applied to deploy the container by merging the host profile with the max configuration fetched from the developer profile. Accordingly, it is possible to provide an optimal environment to developers and hosts by generating the final profile with a hierarchical model using the host profile and the developer profile.

Abstract: Provided is a method of analyzing a container system call configuration error, including: profiling a set of trusted images that are uploaded to a public or private container image repository during initialization of a system or verified by a repository owner; identifying a custom service layer and known service layers based on the trusted image when a custom image is transmitted to the system; analyzing only the custom service layer by a system call extraction engine; and generating and optimizing a profile with an essential and non-malicious system call by scanning the custom service layer to remove a malicious program or a vulnerable system call. Accordingly, it is possible to reduce overhead by omitting re-analysis of known images in a container image scanning process.

Abstract: Provided is a docker image vulnerability inspection device, which extracts and classifies an instruction by analyzing a manifest file of a docker image, maps a file designated in the instruction to a plurality of classes, sets vulnerability of the file according to an extraction condition preset to each of the plurality of classes, and checks vulnerability of the file according to the vulnerability set to the file based on a CVE database prepared in advance.