| Patent application number | Description | Published |
|---|
| 20080291912 | SYSTEM AND METHOD FOR DETECTING FILE - The present invention relates to a file detecting system and a method thereof. The file detecting system uses a signature of a file header and collects a network packet including a file to be detected among packets transmitted/received through a network. Subsequently, after the network protocol header is eliminated from the collected network packet, the file is reassembled and recovered. The recovered file is verified, and the verified file is transmitted to various file analysis systems. | 11-27-2008 |
| 20090133125 | METHOD AND APPARATUS FOR MALWARE DETECTION - The present invention relates to an apparatus and method for detecting malware. The malware detection apparatus and method of the present invention determines whether a file is malware or not by analyzing the header of an executable file. Since the malware detection apparatus and method can quickly detect presence of malware, it can shorten detection time considerably. The malware detection apparatus and method can also detect even unknown malware as well as known malware to thereby estimate and determine presence of malware. Therefore, it is possible to cope with malware in advance, protect a system with a program, and increase security level remarkably. | 05-21-2009 |
| 20090158427 | SIGNATURE STRING STORAGE MEMORY OPTIMIZING METHOD, SIGNATURE STRING PATTERN MATCHING METHOD, AND SIGNATURE STRING MATCHING ENGINE - Enclosed are a signature string storage memory optimizing method, a signature string pattern matching method, and a signature matching engine. Signature is tokenized in units of substrings and the tokenized substrings are stored in an internal memory block and an external memory block to optimize a memory storage pattern. Therefore, matching of introduction data to signature patterns is effectively performed. | 06-18-2009 |
| 20090158431 | METHOD OF DETECTING POLYMORPHIC SHELL CODE - There is provided a method of detecting a polymorphic shell code. The decoding routine of the polymorphic shell code is detected from received data. In order for the decoding routine to access the address of an encoded code, the address of a currently executed code is stored in a stack, the value is moved in a register table, and it is determined whether the value is actually used for operating a memory. Emulation is finally performed and the degree of correctness of detection is improved. Therefore, time spent on detecting the polymorphic shell code and an overhead are reduced and the correctness of detection is increased. | 06-18-2009 |
| 20090161864 | BLOCK CIPHER ARIA SUBSTITUTION APPARATUS AND METHOD - A block cipher ARIA substitution apparatus, the apparatus includes a first Sbox operation unit for performing operations of a substitution box S | 06-25-2009 |
| 20090316887 | DATABASE ENCRYPTION AND QUERY METHOD KEEPING ORDER WITHIN BUCKET PARTIALLY - A database encryption and query method keeping an order within a bucket partially, which encrypts and stores numeric data in a database, includes calculating a relative value of a plaintext within a bucket to which the plaintext is allocated; generating a first key value by producing a random number within the bucket; generating a second key value for defining a function having a bucket range of the bucket as an input; and changing the relative value based on the first and the second key value with keeping an order of the relative value partially to store the changed relative value. The first key value may be a value of separating order informations on the relative value. Further, the second key value may be a resultant value obtained by applying a mod 2 operation to the bucket size of the bucket. | 12-24-2009 |
| 20100026826 | APPARATUS FOR PROTECTING IMAGE - An image protection apparatus includes an information collecting unit for collecting personally identifiable information to be embedded in images captured by an image capturing instrument; and an information processing unit for extracting personal information from the collected personally identifiable information. Further, the image protection apparatus includes an information embedding unit for embedding the extracted personal information into a captured image; and an image signaturing unit for writing a signature on the captured image by using the extracted personal information. | 02-04-2010 |
| 20100031052 | LOW POWER HMAC ENCRYPTION APPARATUS - There are provided a low power SHA-1 hash algorithm apparatus having a low power structure and optimized to a trusted platform module (TPM) applied to a mobile trusted computing environment and a low power keyed-hash message authentication code (HMAC) encryption apparatus using the low power SHA-1 hash algorithm apparatus, the HMAC encryption apparatus including: a key padder padding key data for HMAC algorithm; an XOR operator XOR operating the padded key data and a padding constant; a data connector connecting a text to be encrypted, to data obtained by the XOR operating; a data padder padding the connected data; an SHA-1 hash algorithm part performing an SHA-1 hash algorithm on the padded data; a data selector selecting and applying one of a result of the SHA-1 hash algorithm and the text to be encrypted, to the data connector; and a controller controlling operations of the key padder, data connector, and data padder, a sequence of performing a hash algorithm of the SHA-1 hash algorithm part, and storing an operation result to read data required for performing an encryption operation and store data with memory. | 02-04-2010 |
| 20100067391 | APPARATUS AND METHOD FOR VISUALIZING NETWORK SITUATION USING SECURITY CUBE - An apparatus and method for visualizing a network condition related to a network security are provided. The apparatus includes a traffic feature extracting unit, a network condition displaying unit, and a traffic abnormal condition determining unit. The traffic feature extracting unit extracts information including source address, source port, destination address, and destination port from network traffics, selects two of the extracted information, and calculates unique dispersion degrees of two unselected information. The network condition displaying unit displays a two-dimensional cube expressed using the calculated unique dispersion degrees for the classified traffics. The traffic abnormal condition determining unit determines whether the traffics are in an abnormal condition or not based on the two-dimensional security cube. | 03-18-2010 |
| 20100100619 | METHOD AND APPARATUS FOR VISUALIZING NETWORK SECURITY STATE - There are provided a network security state visualization device and method, the device including: a security event collector collecting original security event information from network security apparatuses; a security event analyzer analyzing the original security event information collected by the security event collector and extracting characteristic data corresponding to a security event; and a three-dimensional visualization display unit visualizing a correlation between the characteristic data extracted by the security event analyzer as a three-dimensional screen to be displayed. | 04-22-2010 |
| 20100146621 | METHOD OF EXTRACTING WINDOWS EXECUTABLE FILE USING HARDWARE BASED ON SESSION MATCHING AND PATTERN MATCHING AND APPRATUS USING THE SAME - A method and apparatus for extracting a windows executable file that can search for a pattern related to windows executable files among a large quantity of network packets using a hardware-based session tracking and pattern matching technology and that can extract all packets included in the corresponding session are provided. The method of extracting a windows executable file includes: collecting incoming packets having a payload according to a session of a reference packet having an MZ pattern; performing a portable executable (PE) pattern matching for the collected incoming packets; and forming a PE file based on at least one incoming packet satisfying the PE pattern matching. | 06-10-2010 |
| 20100150008 | APPARATUS AND METHOD FOR DISPLAYING STATE OF NETWORK - There are provided a network state display apparatus and method capable of easily determining a present network security state in real time by analyzing an abnormality and harmful traffic deteriorating performance of a network in software by using a result of combining essential characteristics of traffic, a distinct dispersion, and an entropy and displaying the network state to be intuitionally recognized, the method including selecting and combining three of a source address, a source port, a destination address, and a destination port of collected traffic and calculating a distinct dispersion and an entropy of a residual one therefrom; displaying the calculated distinct dispersion and entropy on a security radar where the distinct dispersion and the entropy are assigned to an angle and a radius; determining whether a network state is abnormal, based on a result displayed on the security radar; and detecting reporting detailed information on abnormal traffic causing the abnormal network state. | 06-17-2010 |
| 20100208083 | SYSTEM AND METHOD FOR PROVIDING APPLICATION SERVICE USING IMAGE DATA - There is provided a system and method for providing an application service using image data. One image data processing server collects images (for example, still images and moving images) captured by various kinds of image capturing apparatuses, such as CCTV systems and processes the collected images into data required to provide application services. A plurality of application service servers only provide processed data of the image data processing server without requiring an additional process to a display device of a user. Accordingly, the configuration of each of the application service servers is simplified to thereby reduce manufacturing costs. | 08-19-2010 |
| 20100212013 | LOG-BASED TRACEBACK SYSTEM AND METHOD USING CENTROID DECOMPOSITION TECHNIQUE - There are provided a system and method for tracing back an attacker by using centroid decomposition technique, the system including: a log data input module collecting log data of an intrusion alarm from an intrusion detection system; a centroid node detection module generating a shortest path tree by applying a shortest path algorithm to network router connection information collected by a network administration server, detecting a centroid node by applying centroid decomposition technique removing a leaf-node to the shortest path tree, and generating a centroid tree whose node of each level is the detected centroid node; and a traceback processing module requesting log data of a router matched with the node of each level of the centroid tree, and tracing back a router identical to the log data of the collected intrusion alarm as a router connected to a source of an attacker by comparing the log data of the router with the log data of the collected intrusion alarm. According to the system and method, an attacker causing a security intrusion event may be quickly detected, a load on the system is reduced, and a passage host exposed to a danger or having weaknesses may be easily recognized, thereby easily coping with an attack. | 08-19-2010 |
| 20100259644 | APPARATUS AND METHOD FOR PROCESSING IMAGE INFORMATION - An apparatus and a method for processing image information are provided. The apparatus for processing image information includes an image capturing device and an image information server for receiving and storing an image captured by the image capturing device and adds information on the image capturing device and signature information to image data obtained by the image capturing device. Accordingly, the device information and the signature information can be added to the image data obtained by the image capturing device to maintain security of the image data and use the image data as digital proof when a specific event is generated. | 10-14-2010 |
| 20100277600 | SYSTEM AND METHOD FOR IMAGE INFORMATION PROCESSING - A system and method for image information processing are disclosed. The system for image information processing includes: at least one image pickup terminal for providing image data picked up through a camera; an image information processing server for processing data collected from at least one image pickup terminal into data of a new format; and an application server for receiving the processed data from the image information processing server and providing the same to at least one user terminal. The amount of transmission data can be reduced and the reliability of information security can be increased since it is possible to allocate unique IDS to a plurality of image pickup terminals and application servers and identify the image pickup terminals and application servers only by their unique IDs without containing any particular information upon data transmission. | 11-04-2010 |
| 20110016208 | APPARATUS AND METHOD FOR SAMPLING SECURITY EVENT BASED ON CONTENTS OF THE SECURITY EVENT - There are provided an apparatus and method for sampling a security event based on contents of the security event, the apparatus including: a security event accumulation module collecting security events occurring in a network system and storing the security events for each type according to contents of the security event; a security event analysis module calculating distribution of the security events for each type by analyzing the stored security events; and a security event extraction module sampling the stored security events according to the calculated distribution of the security events for each type. The apparatus and method may improve speed of visualization of a security event and a security event analysis apparatus and may increase accuracy thereof. | 01-20-2011 |
| 20110016523 | APPARATUS AND METHOD FOR DETECTING DISTRIBUTED DENIAL OF SERVICE ATTACK - An apparatus for detecting a distributed denial of service (DDoS) attack includes: a monitoring unit for monitoring multiple GET requests and responses transmitted and received depending on a session establishment between a client and a server; and an attack detection unit for analyzing the monitored multiple GET requests and responses between the client and the server to detect a traffic of the DDoS attack against the server. | 01-20-2011 |
