Abstract: An apparatus for collecting meta data related to malicious code meta information, includes: an application programming interface (API) key setting unit configured to register as a member of a collection channel related to malicious code of cyber attacks, and set the API key as an initialization input; a collection channel access unit configured to, upon input of the set API key, access the collection channel; an execution command interpretation unit configured to, subsequent to accessing the collection channel, upon input of an execution command, interpret the input execution command; and a meta information management unit configured to, based on API information provided from the collection channel according to the interpreted execution command, extract at least one piece of meta information for identifying an attack group, and manage the at least one piece of meta information in a JSON format for each attack group.

Abstract: Provided is a method performed by a computing device for classifying a type of exploit.

Abstract: Provided is a method performed by a computing device for monitoring an abnormal behavior of a plurality IoT devices. The method comprises determining abnormality of a behavior of each of the plurality of IoT devices based on traffic data representing the behavior of each of the plurality of IoT devices, clustering the behavior of each of the plurality of IoT devices based on the traffic data and a result of the determining the abnormality and generating data for representing a plurality of clusters formed as a result of the clustering such that a first cluster corresponding to a normal behavior cluster and a second cluster corresponding to an abnormal behavior cluster are displayed on different planes, the first cluster and the second cluster being divided based on the result of the determining the abnormality.

Abstract: Provided is a method performed by a computing device for identifying a device. The method include receiving a target packet from an identification target device, extracting a pattern of the target packet, the target packet being transmitted by the identification target device from the packet, matching the pattern of the target packet with at least one of packet patterns stored in an identification information DB, comparing a first model name with a second model name, the first model name being corresponding to the matched pattern stored in the identification information DB, the second model name being selected by a user of a user terminal, and transmitting a proposed model name to the user terminal based on determining that the first model name and the second model name are different, the proposed model name being used for connection between the user terminal and the identification target device.

Abstract: Provided are a method for detecting an anomaly in devices, the method being performed by a computing device and comprising: acquiring operation information on a first device connected to a security management unit (SMU) of a first domain, and operation information on a second device connected to a SMU of a second domain, and detecting an anomaly in the first device and/or the second device by comparing the operation information on the first device with the operation information on the second device, wherein the SMU of the first domain is not directly connected to the SMU of the second domain.

Abstract: Provided is a method performed by a computing device for identifying a device. The method include receiving a target packet from an identification target device, extracting a pattern of the target packet, the target packet being transmitted by the identification target device from the packet, matching the pattern of the target packet with at least one of packet patterns stored in an identification information DB, comparing a first model name with a second model name, the first model name being corresponding to the matched pattern stored in the identification information DB, the second model name being selected by a user of a user terminal, and transmitting a proposed model name to the user terminal based on determining that the first model name and the second model name are different, the proposed model name being used for connection between the user terminal and the identification target device.

Abstract: There is provided a method of generating malicious traffic, the method being performed by a computing apparatus and comprising obtaining traffic data transmitted from a first device infected with first malicious code or received by the first device, generating a traffic template of the first device by analyzing the traffic data, and generating a malicious traffic template of a terminal group, wherein the malicious traffic template of the terminal group comprises the traffic template of the first device.

Abstract: Provided is a method performed by a computing device for detecting abnormal behavior in a network. The method comprises obtaining a plurality of individual rules, wherein an individual rule of the plurality of individual rules is for extracting first output data from at least one input data set among a plurality of input data sets, the first output data satisfying a first extraction condition, obtaining a plurality of association rules, wherein an association rule of the plurality of association rules is for extracting second output data from at least one of the plurality of input data sets and the first output data, the second output data satisfying a second extraction condition and detecting abnormal behavior in a network based on third output data, the third output data being extracted using one of the plurality of individual rules and the plurality of association rules.

Abstract: An apparatus comprising a processor to execute the rule optimizer to perform a number of operations. One operation comprises obtaining 5 log data including a result of detecting an exploit attack based on a rule. Another operation comprises time-series analyzing the obtained log data to update at least some of previously applied detection rules. There is provided an apparatus for automatically optimizing a rule to improve the detection accuracy for an exploit attack in a rule-based attack detection system, and a method performed on the apparatus.

Abstract: An apparatus comprising a processor to execute the rule optimizer to perform a number of operations. One operation comprises obtaining 5 log data including a result of detecting an exploit attack based on a rule. Another operation comprises time-series analyzing the obtained log data to update at least some of previously applied detection rules. There is provided an apparatus for automatically optimizing a rule to improve the detection accuracy for an exploit attack in a rule-based attack detection system, and a method performed on the apparatus.

Abstract: Provided are methods and systems for identifying an Internet of things (IoT) device. A method of clustering an Internet of things (IoT) device, the method comprises determining a device group to which the IoT device belongs by applying the network packet of the IoT device obtained from the device identification apparatus to the clustering model, transmitting device group information according to the determination to the device identification apparatus and obtaining detailed identification information of the IoT device from the device identification apparatus, wherein the detailed identification information comprises a detailed model of the IoT device analyzed using the device group information.

Abstract: Provided is a method for managing abnormal behavior of an IoT device performed at an IoT gateway connected to the IoT device. The method comprises collecting a transmission packet transmitted by of the IoT device, calculating historical time series metrics for the IoT device using the collected packet, setting normal ranges of the time series metrics using at least one of a maximum value, a minimum value, and an average value of a curvature of a curve generated based on mapping the calculated historical time series metrics onto a two-dimensional plane, and determining whether current time series metric calculated using a received packet from the IoT device are out of the normal ranges.

Abstract: Provided is a method for classifying a cyber-attack performed in a computing device having an artificial neural network. The method comprises obtaining a plurality of features extracted from collected packets and inputting the plurality of features into the artificial neural network and using data output from the artificial neural network to determine a type of cyber-attack indicated by the collected packet.

Abstract: Provided are a method for detecting an anomaly in devices, the method being performed by a computing device and comprising: acquiring operation information on a first device connected to a security management unit (SMU) of a first domain, and operation information on a second device connected to a SMU of a second domain, and detecting an anomaly in the first device and/or the second device by comparing the operation information on the first device with the operation information on the second device, wherein the SMU of the first domain is not directly connected to the SMU of the second domain.

Abstract: There is provided a method of generating malicious traffic, the method being performed by a computing apparatus and comprising obtaining traffic data transmitted from a first device infected with first malicious code or received by the first device, generating a traffic template of the first device by analyzing the traffic data, and generating a malicious traffic template of a terminal group, wherein the malicious traffic template of the terminal group comprises the traffic template of the first device.

Abstract: There is provided a reinforcement learning method in which a discount factor is automatically adjusted, the method being executed by a computing device and comprising repeatedly training a reinforcement learning model, which determines an evaluation result of input data, using the input data, wherein the repeatedly training of the reinforcement learning model comprises obtaining first result data which is output as a result of inputting the input data to the reinforcement learning model. obtaining second result data which is the result of evaluating the input data using a first evaluation model. obtaining a first return which is the result of adding a discount factor to a first reward given in consideration of whether the first result data and the second result data match. training the reinforcement learning model using the first return and automatically adjusting the discount factor by considering the second result data.

Abstract: A black market collection system for tracing distributors of mobile malware comprises: a black market collection module for collecting web sites suspected to be a black market or apk files suspected to be a black market app by a search related to black markets through portal sites, and creating a URL list of the collected web sites suspected to be a black market; an app static analysis module for obtaining a source code by decompiling the collected apk file and detecting a URL of a site address distributing a corresponding app; a site analysis module for collecting apk files by analyzing the URL or each URL pattern of thereof and creating an apk collection pattern rule related to paths of collecting the apk files; and a database for storing the URL list of the collected web sites suspected to be a black market and the created apk collection pattern rule.

Abstract: Provided are an apparatus and method for detecting a fraudulent transaction using machine learning. The apparatus for detecting a fraudulent transaction using machine learning includes a settlement information input unit configured to receive settlement information of a user device in response to a settlement request from the user device, a feature information extraction unit configured to extract feature information from the received settlement information, and a fraudulent transaction determination unit configured to determine whether a transaction is a fraudulent transaction or not using a plurality of machine learning algorithms based on the extracted feature information.

Abstract: A power information transmitting and receiving system in a smart grid comprises: a plurality of home appliances for creating power information by matching consumed power to home appliance identification information; a plurality of smart meters for receiving and storing the power information, creating a first hash value (HSM) for verifying integrity of the stored power information, encrypting the power information using a symmetric key, matching the encrypted data to smart meter identification information; a plurality of data collecting units for decrypting the received data, verifies integrity of the data, collecting the data, creating an integrity verification value for each smart meter, encrypting the smart meter identification information, a total power consumption, a collection time and a third hash value (HDCU), matching the encrypted data to data collecting unit identification information; and an AMI head-end for decrypting the data, performing integrity verification, collecting data for each data colle