Abstract: A 5G smart factory replay attack detection method includes (A) acquiring and managing, by a 5G smart factory replay attack detection apparatus, user information including IP information assigned to a user terminal, (B) acquiring factory facility command data based on user data in a GTP-U protocol between a 5G base station and a user plane function (UPF), and managing the acquired factory facility command data as an authentication command for each user terminal, (C) acquiring the factory facility command data and user terminal IP information based on the user data, (D) comparing the factory facility command data and the user terminal IP information with the authentication command for each user terminal and the IP information acquired in the (A) acquiring and managing of the user information, respectively, and (E) detecting an attack based on the command comparison result and the IP information comparison result.

Abstract: Disclosed is an apparatus for distributed processing of an identical packet in high-speed network security equipment, including: a plurality of analysis modules for each determining whether vulnerability analysis is required by analyzing a received packet; a circular queue for receiving the packet from an analysis module initially determining that the vulnerability analysis is required and storing the received packet as a bucket structure; and a plurality of analysis engines for each performing different vulnerability analyses for the packet acquired from the circular queue based on a packet address of the bucket structure, in which the bucket structure includes a packet data storage unit and packet use information storage units which are as many as the plurality of analysis engines, and the packet use information storage units store packet use information of the plurality of respective analysis engines, respectively.

Abstract: An apparatus for traffic security processing in a slicing service of mobile edge computing according to an embodiment of the present invention includes: a plurality of security modules for analyzing a received packet to respectively execute security functions suitable for slicing security of mobile edge computing; a controller for managing a slicing security module list in the mobile edge computing; and a main security module for analyzing a received packet on the basis of the slicing security module list to determine a security function to be executed and priority of the security function to be executed, wherein the controller transmits the received packet to at least one corresponding security module among the plurality of security modules according to the priority of the security function to be executed, which is determined by the main security module.

Abstract: Disclosed is an apparatus for distributed processing of an identical packet in high-speed network security equipment, including: a plurality of analysis modules for each determining whether vulnerability analysis is required by analyzing a received packet; a circular queue for receiving the packet from an analysis module initially determining that the vulnerability analysis is required and storing the received packet as a bucket structure; and a plurality of analysis engines for each performing different vulnerability analyses for the packet acquired from the circular queue based on a packet address of the bucket structure, in which the bucket structure includes a packet data storage unit and packet use information storage units which are as many as the plurality of analysis engines, and the packet use information storage units store packet use information of the plurality of respective analysis engines, respectively.

Abstract: The present disclosure relates to an apparatus and method for reconfiguring a signature used in a signature-based abnormal traffic detection scheme. A signature reconfiguration method of the present disclosure comprises: selecting a signature from a signature list and dividing the selected signature into a plurality of signature fragments; calculating a first impact for each of a plurality of load elements by inspection of the plurality of signature fragments for the plurality of load elements; calculating a second impact for each of the plurality of load elements by applying a weight for each of the plurality of load elements to the first impact; calculating a final load impact for each signature fragment by summing corresponding second impacts to each signature fragment among the calculated second impacts; and rearranging an order of the plurality of signature fragments according to a magnitude of the calculated final load impact.

Abstract: Provided are a multi-pattern policy detection system and method, wherein, in an environment that operates a plurality of policies for determining matching or non-matching by a string or a normalized format, the plurality of policies are expressed by a data structure that is searchable at a time, and are optimized to improve search performance.

Abstract: The present disclosure relates to an apparatus and method for reconfiguring a signature used in a signature-based abnormal traffic detection scheme. A signature reconfiguration method of the present disclosure comprises: selecting a signature from a signature list and dividing the selected signature into a plurality of signature fragments; calculating a first impact for each of a plurality of load elements by inspection of the plurality of signature fragments for the plurality of load elements; calculating a second impact for each of the plurality of load elements by applying a weight for each of the plurality of load elements to the first impact; calculating a final load impact for each signature fragment by summing corresponding second impacts to each signature fragment among the calculated second impacts; and rearranging an order of the plurality of signature fragments according to a magnitude of the calculated final load impact.

Abstract: Provided are a multi-pattern policy detection system and method, wherein, in an environment that operates a plurality of policies for determining matching or non-matching by a string or a normalized format, the plurality of policies are expressed by a data structure that is searchable at a time, and are optimized to improve search performance.

Abstract: The present invention includes creating a session in response to a session setup request for a general packet radio service (GPRS) application service, receiving GTP packet data using GPRS tunneling protocol (GTP) tunnel, performing decoding on the GTP packet data, determining whether there is an attack attributable to malicious behavior based on a predetermined management DB, identifying the type of the GTP packet data as the type of GTP packet for attacked GTP packet data and the type of GTP packet for non-attacked packet data based on a result of the determination, carrying out a predetermined policy for the identified type of GTP packet, performing the standardization of the packet data of each GTP version, determining whether the standardized packet data has been registered with a hash buffer in accordance with the type of pairing message for each command, and processing a session based on a result of the determination.

Abstract: A pattern matching system for a network security device includes a pattern matching card configured to generate a pattern matching result by matching data of a received packet with a pre-stored pattern of a signature pattern table, and an analyzing engine configured to copy the packet and transfer the copied packet to the pattern matching card and configured to detect a bad traffic based on packet analysis information of the packet and the pattern matching result received from the pattern matching card. The analyzing engine is configured to detect a bad traffic based on a pattern matching result for a single packet and packet analysis information during a single-packet-based analysis and is configured to detect a bad traffic based on a pattern matching result for successive packets and packet analysis information during a multi-packet-based analysis.

Abstract: The present invention includes creating a session in response to a session setup request for a general packet radio service (GPRS) application service, receiving GTP packet data using GPRS tunneling protocol (GTP) tunnel, performing decoding on the GTP packet data, determining whether there is an attack attributable to malicious behavior based on a predetermined management DB, identifying the type of the GTP packet data as the type of GTP packet for attacked GTP packet data and the type of GTP packet for non-attacked packet data based on a result of the determination, carrying out a predetermined policy for the identified type of GTP packet, performing the standardization of the packet data of each GTP version, determining whether the standardized packet data has been registered with a hash buffer in accordance with the type of pairing message for each command, and processing a session based on a result of the determination.

Abstract: The present disclosure relates to a packet transfer system and method, which can greatly improve the efficiency of a packet transfer scheme using a memory pool technique. The packet transfer system for high-performance network equipment includes a memory pool processor configured to include therein one or more memory blocks and store packet information input to an NIC. A memory allocation manager is configured to control allocation and release of the memory blocks, update information of memory blocks in response to a request of a queue or an engine, and transfer memory block addresses. The queue is configured to request a memory block from the memory allocation manager, and transfer a received memory block address to outside of the queue. The engine is configured to receive the memory block address from the queue, and perform a predefined analysis task with reference to packet information.

Abstract: A pattern matching system for a network security device includes a pattern matching card configured to generate a pattern matching result by matching data of a received packet with a pre-stored pattern of a signature pattern table, and an analyzing engine configured to copy the packet and transfer the copied packet to the pattern matching card and configured to detect a bad traffic based on packet analysis information of the packet and the pattern matching result received from the pattern matching card. The analyzing engine is configured to detect a bad traffic based on a pattern matching result for a single packet and packet analysis information during a single-packet-based analysis and is configured to detect a bad traffic based on a pattern matching result for successive packets and packet analysis information during a multi-packet-based analysis.

Abstract: The present invention relates to a distributed packet processing system for high-speed networks and a distributed packet processing method using thereof, in which a FIFO-type packet processing engine having three packet processing steps is provided in plurality to process packet data in parallel in processing packets for high-speed networks, and, therefore, packet sequences are guaranteed, and packets can be further promptly process.