Abstract: There is provided an object verification apparatus comprising; a communication module receiving object information to verify an object and integrity of the object, and requesting original object information to an integrity authentication server in which the original object information for the object is registered and receiving the original object information from the integrity authentication server; and a control module determining whether current object information extracted from the object and the object information are identical or not, controlling the communication module according to the determined result, and comparing the original object information and the current object information to verify the final integrity of the object.

Abstract: A method and apparatus for protecting an application layer in a computer network system. The method includes creating a session between a client and a data provider in response to a session connection request from the client, and determining the client as an application layer attacking client when the client generates a session termination request before the data provider transmits to the client a response packet to a data request from the client under the created session.

Abstract: Provided is an apparatus and method for determining whether or not a specific network session is under a denial-of-service (DoS) attack. The method includes detecting a packet transmitted in the session, initializing the number of attack-suspicion continuation packets, increasing the number of attack-suspicion continuation packets by a predetermined number, and determining that the session is under the DoS attack.

Abstract: An apparatus for diagnosing malicious files includes a information transferring unit configured to receive information regarding a malicious file distributed in a management network and an execution file generated by assembling packets collected from the management network; an anti-virus engine configured to determine whether or not the execution file is malicious to generate information regarding a new malicious file; and a management unit configured to transfer the information regarding the malicious file and the information regarding the new malicious file to a terminal device on the management network through the information transferring unit.

Abstract: A method for monitoring and processing domain name system (DNS) query traffic includes: monitoring DNS query traffic in each time slot during a monitoring period comprised of n number of time slots; extracting traffic information during the monitoring period by using the DNS query traffic monitored in said each time slot; and analyzing the extracted traffic information to detect a DNS traffic flooding attack.

Abstract: There are provided an apparatus and method for detecting an executable code, capable of verifying reliability of an extracted signature by determining whether there is present an executable code in network data by using instruction pattern information related calling mechanism of function for distinguishing the executable code from a non-executable code, the method including: forming instructions by reverse assembling network data suspicious as an attack; comparing the respective formed instructions with instruction patterns according to calling mechanism of function; and determining whether there is present an executable code in the network data according to a result of the comparing.

Abstract: There are provided a network attack detection apparatus and method capable of determining even unknown network attack, the apparatus connected between two networks or connected by port mirroring of an Ethernet switch to real-time monitor all packets flowing through the networks. The apparatus decodes a payload portion of an inputted network packet into a machine code instruction, determines whether an executable code is included in the decoded machine code by analyzing relationship between instructions, and determines whether the packet is harmful based on statistics with respect to a possibility that an executable code exists in a service and a certain transaction of the service when the executable code is included.

Abstract: An apparatus for detecting a distributed denial of service (DDoS) attack includes: a monitoring unit for monitoring multiple GET requests and responses transmitted and received depending on a session establishment between a client and a server; and an attack detection unit for analyzing the monitored multiple GET requests and responses between the client and the server to detect a traffic of the DDoS attack against the server.

Abstract: A method and apparatus for protecting an application layer in a computer network system. The method includes creating a session between a client and a data provider in response to a session connection request from the client, and determining the client as an application layer attacking client when the client generates a session termination request before the data provider transmits to the client a response packet to a data request from the client under the created session.

Abstract: The present invention discloses a device and method for detecting a packed PE (portable executable) file. In the device and method for detecting a packed PE file, information for detecting packing are extracted by analyzing the header of a target file, and a record containing characteristic values shown only in a packed PE file is created by using the extracted information. The packing of the target file is detected by calculating the similarity with a PE file which is not packed based on the created record and comparing it with a derived threshold value. Therefore, a packed PE file can be detected even if it is packed by a packing method which is not well-known.

Abstract: There is provided a method of detecting a polymorphic shell code. The decoding routine of the polymorphic shell code is detected from received data. In order for the decoding routine to access the address of an encoded code, the address of a currently executed code is stored in a stack, the value is moved in a register table, and it is determined whether the value is actually used for operating a memory. Emulation is finally performed and the degree of correctness of detection is improved. Therefore, time spent on detecting the polymorphic shell code and an overhead are reduced and the correctness of detection is increased.

Abstract: The present invention relates to an apparatus and method for detecting malware. The malware detection apparatus and method of the present invention determines whether a file is malware or not by analyzing the header of an executable file. Since the malware detection apparatus and method can quickly detect presence of malware, it can shorten detection time considerably. The malware detection apparatus and method can also detect even unknown malware as well as known malware to thereby estimate and determine presence of malware. Therefore, it is possible to cope with malware in advance, protect a system with a program, and increase security level remarkably.

Abstract: The present invention relates to a file detecting system and a method thereof. The file detecting system uses a signature of a file header and collects a network packet including a file to be detected among packets transmitted/received through a network. Subsequently, after the network protocol header is eliminated from the collected network packet, the file is reassembled and recovered. The recovered file is verified, and the verified file is transmitted to various file analysis systems.

Abstract: There are provided a network attack detection apparatus and method capable of determining even unknown network attack, the apparatus connected between two networks or connected by port mirroring of an Ethernet switch to real-time monitor all packets flowing through the networks. The apparatus decodes a payload portion of an inputted network packet into a machine code instruction, determines whether an executable code is included in the decoded machine code by analyzing relationship between instructions, and determines whether the packet is harmful based on statistics with respect to a possibility that an executable code exists in a service and a certain transaction of the service when the executable code is included.

Abstract: The present invention relates to a network-based Internet worm detection apparatus and method using vulnerability analysis and attack modeling. In the network-based Internet worm detection apparatus, a vulnerability information storage unit stores the vulnerability information of an application program that is necessary for attack detection. A threat determiner determines whether a packet transmitted over a network is destined for a vulnerable application program with vulnerability. A packet content extractor extracts, using the vulnerability information, information for determination of an attack packet from the packet determined to be destined for the vulnerable application program. An attack determiner compares and analyzes the extracted information and the vulnerability information to determine whether the packet is an attack packet. The vulnerability information of the application program and attack modeling are used to detect an Internet worm, thereby making it possible to counteract the attack packet.

Abstract: Provided is an attack classification method for computer network security. In the attack classification method, attacks are classified depending on vulnerability abused by an attack, attack propagation skills, and attack intentions. The classification results are arranged in the order of the vulnerability abused by an attack, the attack propagation skills, and the attack intentions. The arranged classification results are output. Accordingly, it is possible to easily detect an attack flow where an attack A propagates in the propagation skill C using the vulnerability B and the attack skill F is used for the attack target E to achieve the attack purpose D.

Abstract: A network packet generation apparatus and method with an attack test packet generation function for testing a performance of an information security system is provided. The network packet generation method includes the steps of: setting attack test packets according to setting data inputted by a user and a pre-stored attack detection rule; generating the attack test packets according to the setting data; transmitting the attack test packets to the information security system and receiving monitored and stored reaction packets against the attack test packets; and analyzing the received reaction packets, thereby making it possible to improve the accuracy and reliability of an information security system test and reduce the necessary time for the information security system test.

Abstract: In a system for providing a real-time attacking connection traceback, an intrusion detection unit detects a hacker's attack. A packet block unit blocks a response of an attacked system. A path block tracing unit generates a policy to block a specific packet, collects a response packet, inserts the generated watermark in the packet, transmits the watermark-inserted packet to a system and forms a traceback path. A watermark detection unit checks a received/transmitted packet in a network, extracts a corresponding watermark if there exists the watermark-inserted packet and transmits the watermark-inserted packet detection information to an attacking connection traceback system that initially inserted a watermark into a packet.

Abstract: Disclosed is a network-based attack tracing system and method using a distributed attack detection agent and manager system that can detect and trace an attack path of a hacker in real time on the whole network using distributed network-based attack detection agent, request manager, and reply manager. The agent detects an attack using a network-based intrusion detection system (NIDS), analyzes an alarm log that is judged to be the attack, changes the analyzed alarm log into attack information, and transmits the attack information to the request manager. The request manager performs a search of an attack IP based on the attack information received from the agent, stores a result of search in a tree structure, and if a final search is completed, extracts a hacking path using a binary search tree (BST) algorithm.