Abstract: Provided are an apparatus, system and method for detecting malicious code inserted into a normal process in disguise. The apparatus includes a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code.

Abstract: A defense method and device against intelligent bots using masqueraded virtual machine information are provided. The method includes performing global hooking on a virtual machine detection request transmitted by a process, determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process, and when the process is found to correspond to the malicious process as a result of the determination, determining that the process is generated by the intelligent bot, and returning the masqueraded virtual machine information to the process.

Abstract: Provided are a virtual server and method for identifying a zombie, and a sinkhole server and method for integratedly managing zombie information. The virtual server includes an authentication processing module authenticating a host using a CAPTCHA test and providing a cookie to the authenticated host when a web server access request message received from the host does not include a cookie, a cookie value verification module for extracting a cookie value from the web server access request message and verifying the extracted cookie value when the web server access request message includes a cookie, a web page access inducement module for inducing the host to access a web server when the cookie value is verified, and a zombie identification module for blocking access of the host when the cookie value is not verified, and identifying the host as a zombie when the number of blocking operations exceeds a threshold value.

Abstract: Provided is a device and method for inspecting software for vulnerabilities which fuzzes the software by function. The device for inspecting software for vulnerabilities includes a target function selecting module for selecting a function of the software for vulnerabilities to be inspected, a comparison file generating module for generating a first file including the selected function and a second file not including the selected function, a binary pattern comparing module for detecting a changed or added binary pattern by comparing binary values of the first file and the second file, a test case generating module for generating at least one test case based on the detected binary pattern, and a vulnerability verifying module for inspecting vulnerabilities based on the at least one test case and generating a vulnerability inspection result.

Abstract: Provided is an apparatus and method for detecting a malicious file that attempts to initiate communication in a mobile terminal without a user's approval. The method of detecting a malicious file in a mobile terminal includes: determining whether a file to be examined is an executable file; when the file is an executable file, examining whether the file is a malicious file that can cause unapproved communication based on at least one predetermined examination condition; and outputting the result of examining whether the file is the malicious file. Accordingly, an attack caused by a new type of malicious code can be coped with.

Abstract: Provided are an apparatus and method for detecting a malicious process. The apparatus includes: a process monitoring unit for monitoring a process generated in a computing environment; a target process setting unit for previously setting a test target process among the processes confirmed by the process monitoring unit; a process generation time change monitoring unit for monitoring if the target process set by the target process setting unit requests to change a generation time; a generation time change preventing unit for preventing a change in the generation time of the target process when the target process requests to change the generation time; and a malicious process detecting unit for determining that a child process of the target process set by the target process setting unit is a malicious process if the child process is generated within a predetermined reference time.

Abstract: Provided are an apparatus, system and method for detecting malicious code inserted into a normal process in disguise. The apparatus includes a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code.

Abstract: Provided are a virtual server and method for identifying a zombie, and a sinkhole server and method for integratedly managing zombie information. The virtual server includes an authentication processing module authenticating a host using a CAPTCHA test and providing a cookie to the authenticated host when a web server access request message received from the host does not include a cookie, a cookie value verification module for extracting a cookie value from the web server access request message and verifying the extracted cookie value when the web server access request message includes a cookie, a web page access inducement module for inducing the host to access a web server when the cookie value is verified, and a zombie identification module for blocking access of the host when the cookie value is not verified, and identifying the host as a zombie when the number of blocking operations exceeds a threshold value.

Abstract: A defense method and device against intelligent bots using masqueraded virtual machine information are provided. The method includes performing global hooking on a virtual machine detection request transmitted by a process, determining, on the basis of pre-stored malicious process information, whether or not, the process transmitting the virtual machine detection request corresponds to a malicious process, and when the process is found to correspond to the malicious process as a result of the determination, determining that the process is generated by the intelligent bot, and returning the masqueraded virtual machine information to the process.

Abstract: Provided is a system and method for searching for a document based on a policy. The system includes: a document database for storing document files; a document format and text filer for extracting document format information and text information from a document newly stored in the document database; a document format policy module for setting a document format search policy according to an instruction from an administrator; a document text policy module for setting a document text search policy according to an instruction from the administrator; a document format information search module for searching for a document having a document format matching the set document format search policy in the document database; and a document text information search module for searching for a document having a text matching the set document text search policy in the document database.

Abstract: Provided is an apparatus and method for detecting a malicious file that attempts to initiate communication in a mobile terminal without a user's approval. The method of detecting a malicious file in a mobile terminal includes: determining whether a file to be examined is an executable file; when the file is an executable file, examining whether the file is a malicious file that can cause unapproved communication based on at least one predetermined examination condition; and outputting the result of examining whether the file is the malicious file. Accordingly, an attack caused by a new type of malicious code can be coped with.

Abstract: A device and method for blocking autorun of a malicious code through an autorun file stored in a removable storage device are provided. A device manager monitors a connection of a removable storage device, acquires a global unique identifier of the removable storage device, and deletes an autorun file for running the malicious code from the removable storage. A registry manager determines whether a registry key for storing content of the autorun file is generated using the global unique identifier of the removable storage device and deletes the registry key. The present invention can block autorun of a malicious code stored in the removable storage device by retrieving and deleting a registry key for performing the autorun technique when a removable storage device is connected to a system.

Abstract: Provided are an apparatus and method for detecting a Dynamic Link Library (DLL) inserted by a malicious code. The method includes collecting first DLL information from an image file of a process before the process is executed; collecting second DLL information loaded into a memory as the process is executed; comparing the first DLL information with the second DLL information to extract information on an explicit DLL; and determining whether the explicit DLL is a DLL inserted by a malicious code or not.

Abstract: Provided is a device and method for inspecting software for vulnerabilities which fuzzes the software by function. The device for inspecting software for vulnerabilities includes a target function selecting module for selecting a function of the software for vulnerabilities to be inspected, a comparison file generating module for generating a first file including the selected function and a second file not including the selected function, a binary pattern comparing module for detecting a changed or added binary pattern by comparing binary values of the first file and the second file, a test case generating module for generating at least one test case based on the detected binary pattern, and a vulnerability verifying module for inspecting vulnerabilities based on the at least one test case and generating a vulnerability inspection result.

Abstract: Provided are an apparatus and method for detecting a malicious process. The apparatus includes: a process monitoring unit for monitoring a process generated in a computing environment; a target process setting unit for previously setting a test target process among the processes confirmed by the process monitoring unit; a process generation time change monitoring unit for monitoring if the target process set by the target process setting unit requests to change a generation time; a generation time change preventing unit for preventing a change in the generation time of the target process when the target process requests to change the generation time; and a malicious process detecting unit for determining that a child process of the target process set by the target process setting unit is a malicious process if the child process is generated within a predetermined reference time.

Abstract: Provided are a method and system for supporting a simulated-exercise in a cyber space using a message. The system for supporting a simulated-exercise using a massage includes a simulated-exercise manager system for training trainees in a remote location connected through a network by transmitting a situation message for informing critical situations to the trainees and an automatic response message.

Abstract: Provided are an apparatus and a method for detecting a self-executable compressed file by analyzing an executable program. The present invention firstly performs a static analysis on an executable file to search an executable file format, examines a section name part to determine whether the executable file format can be executable or not in compliance with a PE format standard based on a general PE file structure, and determines the executable file as a suspicious file if there is an abnormal section name or structure. Secondly, instructions are examined through disassembling in a section range where a corresponding executable file entry point exists if the suspicious part is found in the first analysis, and it is determined that the file is finally self-executable compressed if there is a file jumping from an address space of a section range where the entry point exists and jumping into a memory region of another section having read/write/execute characteristics.