Disclosed are an electronic device for improving detection of a malicious script by using an artificial intelligence model, and a control method thereof. The electronic device according to the present disclosure may comprise: a memory for storing a detection rule generation model for generating a rule for detecting a malicious script included in target data; and a processor which is connected to the memory and generates, by executing at least one instruction, a rule for detecting a malicious script included in the target data on the basis of a value output by inputting the malicious script into the malicious script detection rule generation model.
An operation method of an electronic apparatus is disclosed. The operation method according to the present disclosure comprises extracting item-specific data that matches a plurality of preconfigured items from within log data, applying the extracted item-specific data to a hash function corresponding to each item to obtain an item-specific hash value and checking for duplication of the log data based on whether the item-specific hash value is duplicated, updating a duplication count based on the checked duplication status, and detecting a threat based on the identified item-specific data and the updated duplication count.
The present invention proposes a device-to-device communication security enhancing technique for, in communication (e.g., VPN communication) between a central device and a branch device, implementing a technical configuration of verifying and controlling (blocking or allowing) a communication connection of the branch device after initial installation on/connection to the central device.
An operation method of at least one electronic apparatus is disclosed. The operation method according to the present disclosure comprises acquiring static and dynamic analysis results corresponding to the results obtained by performing static and dynamic analyses performed on a plurality of scripts, each classified as benign or malicious, converting the static and dynamic analysis results of each of the plurality of scripts into text formatted to match the output format of at least one Large Language Model (LLM), training the LLM based on the converted text so that the LLM infers static and dynamic analysis results from an input script, and predicting static and dynamic analysis results for at least one target script based on the trained LLM.
The objective of the present invention is to present a code flow obfuscation technique for obfuscating a code flow of an application, the method comprising: generating an unpredictable and complex obfuscation code block by using artificial intelligence (for example, generative AI); and implementing a configuration of naturally connecting a reference without affecting the code flow of the application during insertion of the obfuscation code block.
The present invention presents an information leakage control system and an information leakage control method for implementing a new technology capable of controlling, through central management, leakage of digital assets that can be leaked through a WDL function (for example: an AWDL function) of an end-point device (for example: an Apple computer) having a WDL interface (for example: an AWDL interface), which cannot be controlled by a conventional network security solution.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
A remote control app detection method performed by a remote control app detection device according to an embodiment comprises the steps of: if a need for detection of a remote control app is identified, selecting, as an app to be inspected, an app having been executed within a pre-configured time or being currently executed; identifying a service being used by the app to be inspected; and if the service being used is declared to be a pre-configured screen-sharing service type, determining the app to be inspected as the remote control app.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
H04L 67/1095 - Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
8.
CLIENT ASSET MANAGEMENT SYSTEM AND CLIENT ASSET MANAGEMENT METHOD
The present invention presents a technology for enabling server-based client asset management without additional equipment construction even for clients, belonging to a network (hereinafter, a closed network) having limited connectivity with the outside, through a particular technical configuration by which a data packet of each client belonging to the closed network is delivered to an asset management server outside the closed network in a distinguishable form.
In the present invention, a hash value for behavior data is generated and a scan request using same is transmitted so that analysis results of the behavior data specified by the hash value is queried, and thus a novel behavior scan service is implemented to detect cloud-based malicious code even for behavior data.
Disclosed is a view-based remote control detection method. The view-based remote control detection method may comprise: detecting an event according to an input by a user to an application; acquiring a hardware ID for the event; determining whether the event is an input by software on the basis of the acquired hardware ID; and determining whether to block the event on the basis of the determination.
An apparatus for acquiring information according to an embodiment of the present invention comprises: a communication unit for performing communication with a monitoring device for monitoring a device; an active information obtaining unit for requesting the monitoring device for first information allocated to the device; a passive information acquiring unit for acquiring second information allocated to the device from a received packet when the packet monitored by the monitoring device is received through the communication unit; and a device information acquiring unit for acquiring information about the device by using the first information received according to the request and the second information obtained.
A communication management apparatus according to an embodiment comprises: a router that switches so as to connect to any one of a public internet network and an encrypted network; a communication unit that receives a packet from an internet of things terminal; an analysis unit that analyses an encryption level that is applied to the received packet; an encryption unit that does not encrypt the received packet if the analysed encryption level meets a predefined criteria, and that applies an encryption algorithm that is supported in the encrypted network to the received packet so as to encrypt the same if the analysed encryption level does not meet the criteria; and a control unit that controls switching of the router so that the encrypted packet is transmitted to a destination via the encrypted network, and that controls switching of the router so that the unencrypted packet is transmitted to the destination via the public internet network.
An image classification device for personal information searching according to an embodiment of the present invention classifies images to be optically recognized, according to predetermined classification criteria, and before optical recognition is performed, excludes images having low probability of including personal information, so that the number of images to be optically recognized for personal information searching can be reduced, and thus the efficiency of optical recognition can be increased and the costs can be reduced.
A malicious code diagnosis server according to an embodiment of the present invention comprises: a communication unit which receives file information including hash data of a file and metadata of the file stored in each client terminal from each of the plurality of client terminals; a file information organizing unit which groups only the file information having the same hash data among the received file information; a file information storage unit which maps and stores diagnostic information of the file corresponding to the grouped file information together with the grouped file information; a diagnostic information inquiry unit which inquiries the diagnostic information which is mapped to the file information comprising the same metadata as the metadata of the file for which the diagnostic is requested by the first client among the stored file information when the malicious code diagnosis is requested from the first client terminal among the plurality of client terminals; and a unit for determining whether or not to diagnose which determines whether or not to diagnose malicious code for the file on the basis of the inquired diagnostic information.
09 - Scientific and electric apparatus and instruments
16 - Paper, cardboard and goods made from these materials
Goods & Services
Computers installed with computer software that prevents,
monitors, detects, intercepts, diagnoses and repairs all for
computer security purposes; computer software that prevents,
monitors, detects, intercepts, diagnoses and repairs all for
computer security purposes; computer software for the
purpose of providing security; protectors for
telecommunication apparatus; mobile phone cases; computer
program for security service using home network; electronic
security system for home network; screen savers; computer
software, recorded; computer programs, recorded; computer
programs [downloadable software]; computer software for
providing security to networks; computer programs for
providing security to mobile device; computer software for
providing security to mobile device; security terminal for
authentification; software for ensuring the security of
electronic mail; luminous signaling panels for use in
automobiles; electronic indicator boards for use in
automobiles; computers installed with computer software that
monitors, detects, intercepts, diagnoses and repairs
computer viruses; computers; computer software that
monitors, detects, intercepts, diagnoses and repairs
computer viruses; computer anti-virus software. Architects' models; note books; graphic reproductions;
picture postcards; diary; calendars; stamps [seals]; note
papers; stationery; paper for printing photographs; office
requisites, except furniture; books; wrapping paper for
gift; booklets; stickers; printed matters (except books and
periodicals); software programmes and data processing
programmes in printed form; photographs [printed];
periodicals; shopping bags of paper; labels of paper; page
holders; cards; catalogues; pamphlets; millboard
(paperboard); writing implements [writing instruments].
16.
SYSTEM FOR INSPECTING WHETHER NON-EXECUTABLE FILE IS MALICIOUS AND METHOD FOR INSPECTING WHETHER NON-EXECUTABLE FILE IS MALICIOUS
Disclosed is a technique, which can ensure high inspection reliability while minimizing an increase of inspection complexity, a deterioration in convenience, and the occurrence of damage to a host PC, for protecting, with high reliability, a system from a malicious code included in a non-executable file by implementing a novel maliciousness inspection technique (method) suitable for a non-executable file.
The present invention implements a malicious code detecting technique which detects a malicious code before an actual damage is caused by the malicious code, wherein the technique is exposed only to a process to be detected without being exposed to a user or a malicious code creator.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
A security management device according to one embodiment comprises: a communication unit for receiving an attribute value used for determining the security of a client terminal from the client terminal; a storage unit for storing an attribute standard, which is the standard for determining the security of the client terminal; and a determination unit for comparing the attribute standard with the attribute value and determining the security of the client terminal on the basis of the compared result.
A terminal control apparatus using a notification message according to an embodiment of the present invention may comprise: a sensing unit for sensing a notification message output request received by a user terminal through a packet based message; an analysis unit for receiving the notification message output request from the sensing unit so as to determine whether the notification message output request includes a predetermined character string; and a control unit for performing control such that the user terminal performs a predetermined operation, on the basis of the result of the determination, wherein the user terminal is configured to output a notification message on the basis of the notification message output request when the notification message output request is received.
The present invention relates to a security management device for monitoring equipment that is connected to a plurality of devices so as to monitor the plurality of devices, the security management device comprising: a connection unit connected to the monitoring equipment; a monitoring unit for, upon being connected to the monitoring equipment through the connection unit, monitoring a task which is executed in the monitoring equipment; and a control unit for allowing or blocking the execution of the task in the monitoring equipment on the basis of the result of the task monitoring by the monitoring unit.
A method for managing application data of a portable terminal according to the present invention comprises the steps of: allocating a plurality of data areas required for a data management policy for an application program; when the application program is executed, permitting connection to a specific data area of the plurality of data areas allocated for the application program on the basis of the data management policy; and executing the application program while performing the permitted connection to the specific data area.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
22.
APPARATUS AND METHOD FOR RECONSTRUCTING EXECUTION FILE
According to the present invention, in execution file reconstruction corresponding to obfuscation for an execution file in the Android platform, when obfuscation for an execution file such as a DEX file is performed, information on a parent-child relationship for each class defined by a class definition item in the execution file is analyzed by recursively establishing the parent-child relationship between classes with reference to class related information on a header of the obfuscated execution file, so as to reconstruct the original class hierarchy structure.
Provided are a malicious code diagnosing system and a method of diagnosing malicious codes. According to embodiments of the present disclosure, a malicious code diagnosing operation is performed only on files that are likely to be infected by malicious codes by utilizing file change log information recorded in a file system. Accordingly, malicious code diagnosing operation can be performed more quickly and reliably than conventional diagnosing method.
The present invention relates to a method and an apparatus for detecting repackaging. The repackaging detection method comprises: a step for extracting file characteristic information of an application program to be inspected which can be operated in a mobile operating system; a step for acquiring file registration information for application programs to be managed, which are pre-stored in an application program database; and a step for selecting an original repackaging candidate group satisfying preset original repackaging candidate conditions, from among the application programs to be managed, according to a comparison result of the file characteristic information and the file registration information for the application programs to be managed. The present invention first selects the original repackaging candidate group when detecting whether the application programs, which can be operated in the mobile operation system, are repackaged. Therefore, similarity detection time and original repackaging detection time are greatly reduced since the existence of the original repackaging can be confirmed in the original repackaging candidate group alone when confirming whether the original repackaging substantially exists, by detecting similarity among the application programs on a 1:1 basis.
An apparatus for diagnosing malicious applications includes: a signature storage unit which stores malicious application executable files, which can be run in a mobile operating system, and common feature information of variant files derived from said malicious application executable files as signature data for diagnosing maliciousness; an information collection unit which collects information corresponding to common feature information from executable files which are targeted for diagnosis and are diagnosed as malicious or not; a diagnosis determination unit which compares the corresponding information collected by the information collection unit with the common feature information stored in the signature storage unit in order to determine whether the application executable files are malicious; and a result provision unit which provides the results of the determination of whether the application executable files are malicious from the diagnosis determination unit.
A device for verifying an application on the basis of object extraction, according to the present invention, can comprise: an information acquisition unit for acquiring UI objects and relevant screen images with respect to an application to be analyzed; an information storage unit for storing the acquired UI objects and the entire screen image list of the relevant screen images; an object determination unit for searching for a valid UI object by searching a screen image to be verified and for specifying an object type of the retrieved valid UI object; and a control unit generating an event corresponding to the specified object type and executing an event activity.
Disclosed are a computer system, a signature verification server, a method of supporting signature verification by a computer system, and a method of verifying signature. Embodiments of the present disclosure relates to a technology of misdiagnosis verification of signature used for a malicious code diagnosis, and more particularly to technologies which derive a result of performance of a malicious code diagnosis simulation on signature in a multi-user computer environment to use an actual client antivirus software and thus can overcome physical, spatial, and temporal limitations of conventional signature misdiagnosis verification by pre-distributing preliminary application signature in a state where misdiagnosis verification has not been completed to a plurality of user computers to reflect the preliminary application signature to a malicious code diagnosis on files stored in the plurality of user computers and performing misdiagnosis verification on the preliminary application signature based on information collected in connection with a result of the diagnosis.
According to the present invention, by receiving a URL call issued in a portable terminal and analyzing information on a URL, information on the source which has distributed the URL or the like before the URL call is transferred to a browser of the portable terminal, malicious behaviors through the URL, such as the leakage of personal information of a user, the occurrence of financial harm and the like, can be prevented. In addition, by detecting all URL call information issued in the portable terminal, URL related information in the portable terminal can be utilized and managed.
The present invention relates to a client system in which a plurality of clients may quickly diagnose new AV-killing malicious software to fundamentally block the execution of the AV-killing malicious software, based on the sacrifice of another client system, and a method of operating a client system.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
G06F 9/44 - Arrangements for executing specific programs
30.
PHISHING SITE DETECTING METHOD USING IMAGE COMPARISON AND APPARATUS THEREFOR
The present invention relates to a phishing site detecting method using image comparison, and an apparatus therefor. According to the present invention, the phishing site detecting method comprises the steps of: loading phishing detection reference information for detecting a phishing site; extracting from a target site target image information for a comparison on the basis of the phishing detection reference information; comparing the extracted comparison target image information with reference image information for a protected site included in the phishing detection reference information; and warning of the detection of a phishing site if the detection target site is determined as likely to be a phishing site based on the comparison. The method can advantageously detect a phishing site or prevent access even without the cooperation of an operating body of the detection target site, and can detect or prevent access to a phishing site solely using a communication terminal device that accesses the detection target site.
A method for managing application data of a portable terminal according to the present invention comprises the steps of: allocating a plurality of data areas required for a data management policy for an application program; when the application program is executed, permitting connection to a specific data area of the plurality of data areas allocated for the application program on the basis of the data management policy; and executing the application program while performing the permitted connection to the specific data area.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 9/44 - Arrangements for executing specific programs
32.
METHOD AND APPARATUS FOR INSPECTING MALICOUS MESSAGE
The present invention relates to a method and an apparatus for inspecting a malicious message. To this end, the method for inspecting a malicious message comprises the steps of: collecting, from a plurality of communication terminal devices, network access position information included in received messages and identification information data of the received messages; classifying the collected identification information data of the received messages by the same network access position information; computing the identification information data of the received messages by the same network access position information; and determining whether the received messages are malicious according to a result of comparing computed values according to the computation of the identification information data of the received messages with a predetermined reference value.
The present invention relates to a method and an apparatus for inspecting risk of a message. To this end, the method for inspecting risk of a message comprises the steps of: extracting network access location information included in a received message in a message inspection mode; textually inspecting whether a connection file for a location according to the network access position information comprises an execution attribute; receiving a portion of packets in the connection file when the connection file is determined to not comprise the execution attribute; inspecting whether the connection file comprises the execution attribute by analyzing the received portion of packets; and alerting the risk of the received message when the connection file is determined to comprise the execution attribute according to the result of textual inspection or inspection by packet analysis.
Disclosed is an apparatus for diagnosing an attack which bypasses memory protection techniques, the apparatus comprising: a function detection unit for detecting whether a specific program function, which can alter the attribute information of a memory area, is called; an attribute inspection unit for inspecting whether the attribute information at the corresponding location of the memory area corresponds to an execution attribute when the called specific program function is detected by the function detection unit; an attribute changing unit for changing the attribute information such that an access violation occurs at the corresponding location of the memory area when the execution attribution is identified by the attribute inspection unit; an event detection unit for detecting whether the access violation occurs in the memory area; and a malicious determination unit for determining whether a shell code, which causes the access violation, is malicious when the access violation is detected by the event detection unit.
The present invention relates to cloud-based diagnosis of malware, which enables cloud-based malware diagnosis for an application and prevents the waste of resources and decrease in network speed during an upload process of an application file by partially uploading a specific partial file which is necessary to diagnose malware from among all of the files in the application when a new application for which malware diagnosis on a portable terminal has not been performed is discovered.
Disclosed is a method for strengthening a service security function. The embodiments of the present invention relate to a technique capable of further strengthening a security function when a service is used, which confirms beforehand whether a security program is operating normally for a service requiring a high level of security by utilizing the decryption function of the operating security program to thereby allow normal use of the service only when the security program is operating normally and to induce an installation of the security program in light of the security problem when the security program is operating abnormally.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/30 - Authentication, i.e. establishing the identity or authorisation of security principals
Disclosed are a system and a method for inspecting a malicious code. According to the embodiments of the present invention, a malicious code inspection is performed only for files having a high possibility of being infected by a malicious code by utilizing file change log information that is recorded in a file system, so that it is possible to improve the problems of long inspection time and low inspection reliability in a conventional inspection method, and to perform a fast, highly reliable and efficient malicious code inspection.
The data management device for a mobile apparatus of the present invention comprises: a data communication monitoring block for monitoring the state of communication with an MDM server, and generating an action control signal when communication with the MDM server is not possible; a battery management block for responding to the action control signal, checking the remaining capacity in a battery of the mobile apparatus, and ascertaining if the remaining capacity is not below a predetermined minimum capacity; a time monitoring block for counting the elapsed time when the remaining capacity is below the predetermined minimum capacity; and a data management block for deleting data stored on the mobile apparatus when the remaining capacity is below the predetermined minimum capacity or when the counted elapsed time reaches a predetermined time.
According to the present invention, an apparatus for managing data in a mobile device includes: a time monitor block for monitoring whether a losing command message arrives in a predetermined deletion start time by counting the time elapse, after registering the reception time of the losing command message coming from an MDM server; a battery management block for checking the remaining power of the battery of the mobile device during the registration of the reception time so as to determine whether the remaining power is equal to or less than a predetermined minimum value; a terminal management execution block for requesting the MDM server to confirm the start of the date deletion when the remaining power is equal to or less than the predetermined minimum value or the counted time elapse reaches the predetermined deletion time; and a data management block for deleting the data stored in the mobile device when receiving an approval message from the MDM server for the confirmation request.
Disclosed are a system for preventing malware invasion and a method for operating the system for preventing malware invasion. Embodiments of the present invention relate to a technology which monitors a data packet transmitted via a session connected between a terminal system and an external device, changes (treats (removes malware) and records information for inducing disconnection of the session) the relevant data packet, when the data packet infected with malware is found, and transmits the changed data packet in the original transmission direction. Thus, the external device or the terminal system that receives the changed data packet may disconnect the session based on the changed data packet. As a result, malicious invasion from an external source can be effectively prevented, and the problem of neglecting a shared session caused by the prevention of the invasion can be effectively solved.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
41.
APPARATUS FOR SECURING MOBILE DATA AND METHOD THEREFOR
The present invention relates to an apparatus for securing mobile data and a method therefor. The disclosed apparatus for securing mobile data includes: a data security control unit for obtaining a security token and the additional information and seed used in the generation of the security token from a server stage to request encoding or decoding of the data by using the security token; and a data security processing unit for generating a verifying token based on the additional information and seed supplied from the data security control unit to process the requested encoding or decoding of the data if the security token matches the verifying token.
The present invention discloses a P2P-based update device and a method of operating the P2P-based update device. Embodiments of the present invention relate to a technology in which if a client attempts to access a server to obtain group information on clients related to a P2P-based file update, it is possible to decrease instances where unnecessary group information is generated and provided, and thus prevent a decrease in the performance of the server and increase efficiency in file updating by not providing group information but interrupting access by the client when the client is not authenticated by the server or a metadata file is not effective.
G06F 21/30 - Authentication, i.e. establishing the identity or authorisation of security principals
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
G06F 9/44 - Arrangements for executing specific programs
43.
APPARATUS AND METHOD FOR DIAGNOSING MALICIOUS APPLICATION
According to the present invention, in diagnosing a malicious application in a portable terminal such as an Android OS-based smart phone, the malicious application can be rapidly and accurately diagnosed, and performance degradation of the terminal can be prevented by extracting a DEX file including the execution codes of an application in an apk file which is an installation file of the application, uncompressing only a partial region of a DEX file header including hash information for verifying the DEX file in the DEX file, and checking for the presence of the malicious application by comparing the hash information recorded in the DEX file header with signature hash information.
G06F 9/44 - Arrangements for executing specific programs
G06F 9/06 - Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
44.
METHOD AND DEVICE FOR MANAGING AND CONTROLLING APPLICATIONS OF MOBILE TERMINAL AND RECORDING MEDIUM IN WHICH PROGRAM FOR EXECUTING METHOD THEREFOR IS RECORDED
A method for managing and controlling applications of a mobile terminal of the present invention comprises: a step of classifying applications into first mode applications and second mode applications according to a pre-set application management policy so as to make an operating system (OS)application execution list; a step of backing up the first mode applications when the second mode is selected, and then deleting the first mode applications from the OS application execution list; and a step of executing the selected second mode applications when one of the second mode applications for the OS application execution list is selected.
G06F 9/44 - Arrangements for executing specific programs
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
45.
APPARATUS AND METHOD FOR DETECTING FRAUDULENT/ALTERED APPLICATIONS
The present invention relates to an apparatus and method for detecting fraudulent/altered applications, which can accurately detect fraudulent/altered applications by recognizing the application being diagnosed using signature information for each pre-stored application, and determining whether the recognized application is fraudulent/altered using verification signature information set for diagnosing whether the recognized application is fraudulent/altered. In addition, damage due to the fraudulent/altered applications can be reduced by blocking or deleting the fraudulent/altered applications according to a policy.
Disclosed are an abnormal path call detecting apparatus and an abnormal path call detecting method. Embodiments of the present invention pertain to a technology for efficiently increasing the reliability of a determination result of whether a function call is an abnormal path call by determining whether a significant function not exposed externally is called through an abnormal path by a malicious subject using a last branch record (LBR).
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 9/06 - Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
47.
COMPUTER SYSTEM AND METHOD OF USING WHITE LIST OF SAID COMPUTER SYSTEM
A computer system and a method of using the white list of the computer system are disclosed. When considering that malicious codes may not be activated for a plurality of files sequentially stored when a specific program (e.g., an OS program) is installed, embodiments of the present invention set a safer and more reliable white list in an environment that examines malicious code files based on the white list, and examine the malicious code files based on the white list, so that it is possible to effectively improve the speed and safety of examining the malicious code files when compared to a typical technique.
An apparatus for connecting to an update server includes an update unit configured to connect to the update server over a network using a pre-stored domain name address of the update server and an IP address acquisition unit configured to acquire an IP address of the connected update server. The IP address acquired by the IP address acquisition unit is stored as a trusted IP address in a storage unit. The apparatus further includes a reconnection processing unit configured to fetch the trusted IP address of the update server and try connecting to the update server using the trusted IP address in the case of failure to connect to the update server using the pre-stored domain name address.
An apparatus for detecting a malicious shellcode by using a debug event comprises: an alarm setting unit for setting a debug event to occur when a mother process, which is generated by a mother program executing a non-executable file, attempts to execute a file without an execution attribute; an information storage unit for storing address range information on a memory in which normal modules used by the mother process are loaded; and a maliciousness determination unit for determining, by using the acquired address range information, whether the non-executable file is malicious if the debug event occurs.
An apparatus for diagnosing malicious applications includes: a signature storage unit which stores malicious application executable files, which can be run in a mobile operating system, and common feature information of variant files derived from said malicious application executable files as signature data for diagnosing maliciousness; an information collection unit which collects information corresponding to common feature information from executable files which are targeted for diagnosis and are diagnosed as malicious or not; a diagnosis determination unit which compares the corresponding information collected by the information collection unit with the common feature information stored in the signature storage unit in order to determine whether the application executable files are malicious; and a result provision unit which provides the results of the determination of whether the application executable files are malicious from the diagnosis determination unit.
An apparatus for detecting malicious shell codes using a debugging event includes an alert setting unit configured to set a mother program to run a non-executable file to trigger the debugging event when a mother process created by the mother program tries to execute a code with no execution attribute; and an information storage unit configured to store information on an address range in which modules to be used by the mother process are loaded in a memory. Further, the apparatus includes a malicious code determination unit configured to determine whether the non-executable file is malicious using the information on the address range when there occurs the debugging event.
Disclosed are a computer system, a method for shifting an address of a computer system, and a method for monitoring a system function of a computer system. The present invention according to embodiments can effectively use an entire address range of a memory device by storing an address redirection function redirected to an inaccessible residual address range within an accessible partial address range of the entire address range of the memory device, and can thereby provide a same security level function as a 32-bit OS by enabling hooking in a kernel mode such as the 32-bit OS in 64-bit OS environment by monitoring the system function, when having a memory access module for supporting a method for accessing a memory area having the number of bits corresponding to the entire address range of the memory device, that is, the number of bits being less than the number of bits of the OS environment.
In the present invention, when malicious code is diagnosed for files installed in a mobile terminal, all files including the application file are diagnosed. However, for application files generating relatively heavy loads, diagnostic information for diagnosing is stored in a caching DB together with unique information capable of ensuring the integrity of the corresponding application file, and then previous diagnostic information is output as a diagnosis result as to whether the malicious code exists without performing malicious code diagnosis for the same application as that which is stored in the caching DB. Accordingly, load generation due to malicious code diagnosis can be minimized in a mobile terminal.
The present invention relates to diagnosing malicious applications in a mobile terminal, such as an Android OS-based smart phone. According to the present invention, only after a certificate file is uncompressed, which has hash information on all individual files included in an APK file of an application, the hash information on all the individual files included in the APK file existing in the uncompressed certificate file is compared to pre-stored signature hash information. Accordingly, the degradation of performance of the terminal can be prevented, and malicious applications can be rapidly and accurately diagnosed.
An apparatus for inspecting a non-PE file includes a data loading unit configured to load candidate malicious address information related to a malicious code of the non-PE file; and a program link unit configured to acquire normal address range information of a module being loaded on a memory when an application program adapted for the non-PE file is executed and set up a candidate malicious address corresponding to the candidate malicious address information to be a breakpoint of the application program. Further, the apparatus includes a malicious code determination unit configured to determine whether a next execution address is within the normal address range information when there occurs an event derived from the breakpoint.
The present invention relates to an apparatus and method for checking malicious files. The apparatus includes: a program driving unit outputting an execution address of an instruction executed when driving a program corresponding to a non-executable file; an address storing unit storing normal address range information according to the driving of the program; and a maliciousness determining unit determining whether the non-executable file is malicious according to whether the execution address is outside the normal address range information. Accordingly, the present invention has the effect of quickly and accurately identifying maliciousness of a non-executable file before a malicious code in the non-executable file is executed.
An apparatus for detecting a malicious file, includes a program driving unit configured to output an execution address of a command executed by driving a program corresponding to a non-executable file; and an address storage unit configured to store normal address range information in accordance with the driving of the program.
Further, the apparatus includes a maliciousness determination unit configured to determine whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information.
The present invention blocking an interface function called by a browser plug-in comprises: a monitoring unit for monitoring whether a target interface function for accessing or revising cookie information or the information of a webpage run by a browser is called; a determination unit for determining whether the caller of the interface function is a plug-in when the interface function is called; and a blocking unit for blocking the use of the interface function which is called when the caller of the interface function is the plug-in.
The present invention relates to an apparatus and a method for checking non-executable files. The apparatus includes: a data loading unit that loads malicious candidate address information related to a malicious code of a non-executable file; a program connection unit that obtains normal address range information for a module, which is stored in a memory, and sets a breakpoint for the malicious candidate address information; a maliciousness determining unit that determines whether a next execution address belongs to the normal address range information when an event for the breakpoint occurs. Accordingly, the present invention has the effect of quickly and accurately detecting a malicious non-executable file before a malicious code in the non-executable file is executed.
A method for detecting whether a file includes malware is performed on a device. The method includes extracting information of at least two predetermined items in the file; creating a genetic map for the file by altering the extracted information into a previously set format; comparing the created genetic map with a previously stored malware genetic map to obtain a similarity between the created genetic map and the previously stored malware genetic map; and determining that the file is a malware when the similarity is higher than a reference value.
The present invention relates to an apparatus for adding information to a digitally-signed PE file, including: a parsing unit for parsing a digitally-signed PE file; a size-adjusting unit for increasing, by a preset unit, a size value of a certificate table section stored in the parsed PE file; and an information-changing unit for adding data necessary for the certificate table section and adjusting a cyclic redundancy check value, wherein, even though information is added to the digitally signed PE file, the digital signature is valid and the added information is to be read.
An apparatus for blocking an external access to a browser includes an access monitor for monitoring whether a program is accessing the browser; and a document-object acquisition detector for detecting whether the program detected to access the browser by the access monitor acquires a document object of the browser; and an injection blocker for blocking the access of the program to the browser when the document object acquisition detector detects the document object acquisition by the corresponding program.
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
H04L 29/06 - Communication control; Communication processing characterised by a protocol
Disclosed are a computer system and a signature verification server, a method for supporting signature verification by a computer system, and a method for signature verification. Embodiments of the present invention relate to a technique for error verification of a signature which is used when diagnosing malicious code, in which a preliminary-use signatures, for which error verification has not been completed, are distributed ahead of time to a plurality of user computers so that when files stored in a plurality of terminals are being diagnosed for malicious code, the preliminary-use signatures are applied, and the error verification is performed against the preliminary-use signatures on the basis of information collected relating to the results of the diagnosis, thus, in a plurality of user environments in which actual client vaccines are to be applied, results for simulation of a malicious code diagnosis with respect to a signature can be obtained, thereby allowing physical, spatial and temporal limitations of existing error verification of a signature to be overcome.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
64.
COMPUTER SYSTEM AND SYSTEM FOR COMPOUND RULE CREATION ON BASIS OF FILE AND BEHAVIOR
Disclosed are a computer system, a system for compound rule creation on the basis of files and behavior, a method for supporting rule creation by a computer system, and a method for compound rule creation on the basis of files and behavior. Embodiments of the present invention pertain to a technique for creating a response rule for malicious code diagnosis by collecting samples of malicious code behavior and linking a file diagnosis therewith, in which information, such as suspicious behavior and the file responsible for the behavior, is collected, from a plurality of environments of actual computer users, as samples on the basis of occurrence of suspicious malicious behavior according to a behavior surveillance rule, and a new response rule, that is, a behavior surveillance rule and/or a file diagnosis rule (signature), is created and distributed, thus linking malicious code-based behavior and file diagnosis and using unspecified plurality of user computer environments. Thus, the technique allows a smooth response to a variety of environments, and can address existing limitations such as those regarding the effectiveness and speed of diagnosis by improving same and reducing the possibility of a mis-diagnosis.
The present invention relates to a user device and to a method of diagnosing malicious code using same, wherein a user device having the functions of diagnosing and curing malicious code is connected with a computing apparatus via wired or wireless means (USB interface, Bluetooth, wireless LAN, etc.), thus detecting and curing malicious code by real-time monitoring under the control of the user. According to the present invention, simple operation of the user device connected with the computing apparatus makes it possible to diagnose and cure malicious code, and enables the user to easily check the procedure of diagnosing, discovering and curing malicious code through an LED and a speaker of the user device, so that even users with poor computing capability may readily diagnose and cure malicious codes.
The present invention relates to a whitelist synchronization server, to a method for controlling the synchronization of the whitelist synchronization server, to a client apparatus, and to a method for operating the client apparatus. The embodiments of the present invention relate to a technology enabling highly reliable and effective updating and synchronization of a whitelist between the server and the client by allowing the server to divide a whitelist file for each period and provide the client with information for each period, and allowing the whitelist to be updated by collecting/using only the necessary information on the whitelist file included in the client in a corresponding period.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
67.
P2P-BASED UPDATE CLIENT, SERVER DEVICE, SYSTEM, AND METHOD
A peer-to-peer (P2P)-based update server device comprises: a meta data information analysis unit which analyzes information of a meta data file transmitted from each client through a network using a P2P-based protocol, and groups clients having the same meta data file information into one group; a sub-group management unit which groups clients, which are grouped into the group, into one or more sub-groups according to additional information of each client; and a control unit which manages information on the generated group and sub-group, and transmits information on the sub-group to a corresponding client.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
A server apparatus for verifying data integrity in a P2P-based network includes: a metadata file creating unit for creating a metadata file; a metadata verification file creating unit for creating a metadata verification file for verifying the integrity of the metadata file; an electronic signing unit for electronically signing the metadata verification file; a metadata verification file integrity checking unit for checking the integrity of the digitally signed metadata verification file; and a controller for creating the metadata verification file for verifying the integrity of the metadata file, and transmitting the metadata file and the metadata verification file by using a P2P-based protocol.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 29/06 - Communication control; Communication processing characterised by a protocol
69.
BACKUP DEVICE AND BACKUP SERVER FOR TARGET INFORMATION
The present information relates to a backup device for target information, a method of operating the backup device, a backup server, and a method of operating the backup server. According to embodiments of the present invention, when storing backup information corresponding to target information in a quarantine station (backup storage area) on a local disc prior to treating target information infected with a malicious code, if the storage status of the backup storage area satisfies an external backup condition, some backup information from the backup storage area is uploaded/stored in a remote backup server. Thus, the embodiments relate to a technology for ensuring reliability such as totality and integrity of backup information as well as recency of backup information.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 12/16 - Protection against loss of memory contents
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
70.
SYSTEM, USER TERMINAL, METHOD, AND APPARATUS FOR PROTECTING AND RECOVERING SYSTEM FILE.
An apparatus for protecting and recovering a system file comprises: a system file setting unit which sets a system file within an operating system program of a computing apparatus; a hash value calculation unit which calculates a hash value for the set system file on a preset cycle, and stores the calculated hash value in a storage unit; and a file backup unit which encodes the system file corresponding to the calculated hash value, and stores the encoded system file in the storage unit.
The apparatus for updating applications creates a synchronization application list based on applications which use an identical module, extracts information on applications which use an updating module received from an application distribution server from the synchronization application list, and includes a updating module distribution unit for transmitting the updating module and the information on the application to one or more terminals. Accordingly, the terminal updates the module of an application corresponding to the information on the application through the updating module.
The present invention relates to a technology for detecting similarity between applications, which measures the similarity between applications by utilizing information on the basis of the characteristics of the applications operating on the basis of an Android mobile platform by using analysis of a DEX signature, a developer's signature, and an inside APK file through file information extraction, and by using analysis and comparison of class and method files. According to the present invention, forgeries made by re-packaging Android applications and even similarity between apps can be relatively easily determined. Through this, the rights and interests of an application developer can be protected, and a user can precisely determine whether the corresponding application is normal.
The present invention relates to an API-based application analysis technology which analyzes and diagnoses the properties and risks of an application installed in a mobile device on the basis of usage information of a mobile operating system platform API. To this end, the technology classifies the operating system platform API in terms of an action element and a pattern, provides a weight to each to create a diagnosis policy model, and then analyzes an API extracted from a corresponding application to analyze a functional property and risk. According to the present invention, since analysis on an application installed in a mobile device is automatically made, it is possible to more objectively and quickly analyze the tendencies and risk of the application without depending on an analyst, and it is possible to provide a guide to risk elements and risks to be predicted to a mobile device user along with quantitative figures that are risks and API distribution by risk element.
The present invention relates to a malicious code diagnosis/removal service device in virtualization environment, including: a malicious code diagnosis/removal service unit for a hypervisor which stores test target Identification (ID) signatures according to service information for diagnosing and removing malicious codes; and a malicious code diagnosis/removal service unit for a guest Operating System (OS) which diagnoses and removes the malicious codes using the test target ID signatures.
Disclosed are a terminal device and an AP access method of the terminal device. In the method, the terminal device receives an inside AP list from an AP management server, collects an accessible AP list, and then compares the inside AP list with the accessible AP list, so as to determine whether there is an overlap AP between the two lists. When it is determined that there is an overlap AP between the two lists, the terminal device decides that the terminal device is located within a company or a predetermined area, so that it is possible to determine whether the terminal device is located within or out of a company.
The invention relates to an apparatus for preventing infection by malicious code, comprising: a database in which files installed in an agent system, DNA values for each part of the files, and index information for indicating whether each file is normal or malicious are stored; a calculation unit which calculates a DNA value for a part of a file for which an execution is requested in the agent system; and a file inspection unit which searches the database to extract, in a group, files having the DNA value calculated by the calculation unit, inspects whether an object file is normal or malicious on the basis of the index information on the files extracted in a group, and allows the execution of the object file or makes a request for the calculation of DNA values of other parts which selectively include one part of the object file.
An apparatus for connecting to an update server includes an update unit configured to connect to the update server over a network using a pre-stored domain name address of the update server and an IP address acquisition unit configured to acquire an IP address of the connected update server. The IP address acquired by the IP address acquisition unit is stored as a trusted IP address in a storage unit. The apparatus further includes a reconnection processing unit configured to fetch the trusted IP address of the update server and try connecting to the update server using the trusted IP address in the case of failure to connect to the update server using the pre-stored domain name address.
An apparatus for preventing a distributed denial of service (DDoS) attack transmits a redirect message containing a redirect URL (Uniform resource Locator) to a client terminal that has transmitted a request for accessing a web server, in place of the web server. The apparatus authenticates the client terminal that re-sends the request for accessing the web server as a normal client terminal, and permits the client terminal to access the web server.
H04L 12/22 - Arrangements for preventing the taking of data from a data transmission channel without authorisation
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
79.
System and method for logical separation of a server by using client virtualization
A system for logically separating a server using client virtualization includes a client terminal including a virtual environment generation unit for generating a virtual environment, and a virtualized server including a local storage unit, an authentication server for performing authentication on the client terminal when a request for access to the local storage unit is received from a process executed in the virtual environment, and a virtualization filter drier for allowing or blocking the access request to the local storage unit based on the authentication result of the client terminal. The client terminal further includes a virtualization filter driver for transmitting the access request from the process executed in the virtual environment to the local storage unit, and blocking the access request from the process without being made through the virtual environment to the local storage unit.
According to an update apparatus and an update method, it is possible to configure a native library from a target library to be updated, configure an interface library providing a Java Native Interface (JNI) function, which is a wrapper function for the target library, and then call an unload function for the target library through the interface library, so that the target library can be efficiently updated in the JAVA environment.
09 - Scientific and electric apparatus and instruments
Goods & Services
[ Computer network security devices, namely, computer network adapters, hubs, routers, and switches; ] computer software for security purposes, namely, protecting data and information by preventing unauthorized users from accessing them; downloadable computer software for security purposes, namely, protecting data and information by preventing unauthorized users from accessing them; downloadable computer software for security of mobile devices, namely, protecting data and information by preventing unauthorized users from accessing them; computer software that monitors, detects, intercepts, diagnoses and repairs computer viruses, all for computer security purposes; computers installed with computer software that monitors, detects, intercepts, diagnoses and repairs computer viruses, all for computer security purposes; [ encoded smart cards containing programming used to monitor, detect, intercept, diagnose and repair computer viruses for computer security purposes; ] computer software that monitors, detects, intercepts, diagnoses and repairs viruses of mobile devices, for security purposes
82.
COMPUTING APPARATUS AND AUTOMATIC CONNECTION SWITCHING METHOD OF THE COMPUTING APPARATUS
Disclosed is a method that blocks access by a first process, which is allowed to access only an external server, to an internal server, and simultaneously, supports the access to the internal server through a second process, which is allowed to access only the internal server, and that blocks the access of the second process to the external server and simultaneously, supports the access to the external through the first process, whereby a user's inconveniences caused by blocking access to a server can be minimized while maintaining network security.
The invention relates to an apparatus for detecting malicious sites, comprising: a monitoring unit for monitoring all processes being executed in a computing apparatus; a hook code insertion unit for inserting a hook code in a process executed in a browser when the execution of the browser is detected by the monitoring unit; a danger level determining unit that, upon the detection of a website movement, uses the hook code to inspect a stack structure of a process implemented according to the website movement and determine whether or not to perform the stack structure inspection, and determines whether or not the website to which the movement has been made is a malicious site; and a database for storing a list of sites determined to be malicious.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
84.
METHOD OF DETECTING ARP SPOOFING ATTACKS USING ARP LOCKING AND COMPUTER-READABLE RECORDING MEDIUM STORING PROGRAM FOR EXECUTING THE METHOD
A method of detecting Address Resolution Protocol (ARP) spoofing attack, includes initializing an ARP cache if an IP address of the ARP cache is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache. The method further includes blocking an inbound packet having an ARP response if an IP address of a sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender is not consistent with a MAC address of the candidate sender of which IP address is consistent with that of the sender sending the ARP response.
An apparatus for detecting a malware in files includes an acquisition unit configured to obtain from a file system information about a first time point when an interested folder is created by the file system, and information about a second time point when an interested file is created in the interested folder by the file system, a candidate determination unit configured to determine whether the interested file is a candidate file to be subjected to a malware inspection, based on the information on the first and the second time point, and an inspection unit configured to perform the malware inspection on the interested file determined to be the candidate file for the malware inspection.
A method for detecting whether a file includes malware is performed on a device. The method includes extracting information of at least two predetermined items in the file; creating a genetic map for the file by altering the extracted information into a previously set format; comparing the created genetic map with a previously stored malware genetic map to obtain a similarity between the created genetic map and the previously stored malware genetic map; and determining that the file is a malware when the similarity is higher than a reference value.
There is provided a method for detecting whether malicious content is included in a non-PE (Portable Executable) file. The method includes extracting information from a portion within the non-PE file in which the malicious content can be inserted and determining whether the malicious content is included in the non-PE file on the basis of the extracted information.
Disclosed are an apparatus and a method for removing a malicious code. Accordingly, the present invention provides a technology of mixing a cloud computing based network detecting scheme and a conventional malicious code detecting scheme for providing a detection engine to a client terminal according to a situation based on characteristics of the client terminal, helping efficiently cope with a malicious code.
The present invention relates to a method and apparatus for protecting data using a virtual environment, which creates a safe virtual environment that supports the execution of application programs being operated on a computer and which enables important data to be inputted or outputted only within the virtual environment, such that access to the important data is prevented in a general local environment. According to the present invention, data leakage is initially prevented to protect data, and convenience is provided in that a user may use the computer in a general manner while performing desired work.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
90.
Method for detecting and preventing a DDoS attack using cloud computing, and server
A method for detecting and preventing a Distributed Denial of Service (DDoS) attack in a cloud computing environment including a plurality of clients connected to a server, the method includes collecting, by the server, file deoxyribonucleic acid (DNA) extracted from a file currently being executed by each of the clients and traffic information about network traffic caused by the file, from each client by using an agent that is installed in the client and that monitors the file currently being executed by the client. Further, the method includes analyzing, by the server, a risk level of a DDoS attack based on whether the file DNA of the file is malicious or unidentified and based on the traffic information. Furthermore, the method includes sending a command related to whether to block the file to the client according to the analyzed risk level.
An apparatus for blocking an external access to a browser includes an access monitor for monitoring whether a program is accessing the browser; and a document-object acquisition detector for detecting whether the program detected to access the browser by the access monitor acquires a document object of the browser; and an injection blocker for blocking the access of the program to the browser when the document object acquisition detector detects the document object acquisition by the corresponding program.
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
92.
Apparatus and method for preemptively protecting against malicious code by selective virtualization
In an apparatus and method for protecting resources of a computing system from a malicious code by selective virtualization, at least a part of the resources is classified as compulsory resources for executing a program on the computing system. When a vulnerable program executed in a separate space attempts to access one of the compulsory resources, an operating system level virtualization is performed. Further, when the vulnerable program attempts to access one of the resources of the computing system which is other than the compulsory resources, the vulnerable program is permitted to access a modified resource which is generated by modifying content of the resource.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/50 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
93.
TERMINAL DEVICE AND METHOD FOR CONFIRMING FILE DISTRIBUTOR OF SAME TERMINAL DEVICE
Disclosed are a terminal device and a method for confirming a file distributor of same terminal device. The present invention according to embodiments caches the files pre-executed through the terminal device and file distributor information and can previously prevent diffusion of malicious codes by comparing the cached files with a new file and extracting the distributor information of the new file when the new file is generated from the terminal device.
G06F 15/00 - Digital computers in generalData processing equipment in general
G06F 17/00 - Digital computing or data processing equipment or methods, specially adapted for specific functions
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
G06F 21/73 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
G06F 9/06 - Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
94.
MOBILE COMMUNICATION TERMINAL HAVING A BEHAVIOR-BASED MALICIOUS CODE DETECTION FUNCTION AND DETECTION METHOD THEREOF
A mobile communication terminal comprises: a system unit which performs application installation and removal, outputs an installation completion message upon completion of the application installation, and provides, upon receipt of request for authority information on the application, the requested authority information; a behavior information database in which behavior information data is stored; and an inspection unit which makes a request for the authority information to the system unit and receives the authority information, upon receipt of the installation completion message from the system unit, and which compares the authority information and the behavior information data stored in the behavior information database to examine whether the application is a malicious code or not.
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
A system for logical separation of a server by using client virtualization comprises: a client terminal equipped with a virtual environment generator for generating a virtual environment; and a virtualization server which includes a local storage unit, an authentication unit for performing authentication of the client terminal at a request for an access from a process being executed in the virtual environment to the local storage unit, and a virtualization filter driver on the server side for allowing or blocking the access to the local storage unit on the basis of the authentication result of the client terminal. The client terminal further comprises a virtualization filter driver on the filter side for transmitting the request for an access from the process being executed in the virtual environment to the local storage unit, and blocking the request for an access from the process that has not undergone the virtual environment to the local storage unit.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
G06F 21/20 - by restricting access to nodes in a computer system or computer network
96.
NETWORK SPLITTING DEVICE, SYSTEM AND METHOD USING VIRTUAL ENVIRONMENTS
A network splitting device using virtual environments serves to connect user equipment that is connected to a company network and an external network. The network splitting device comprises a packet transmitting/receiving section for receiving a packet that has been generated in the virtual environment of the user equipment, and transmitting the packet either to the external network or to the company network; a packet analysis section for analyzing the packet that has been sent from the packet transmitting/receiving section; and a packet processing section that splits the packet and then transmits the split packets to the external network or the company network, according to the packet analysis result and a preset packet processing policy.
A device for blocking malicious code using executable files comprises: a database which stores an original DNA value for each executable file stored in an agent system; a blocking unit which sets a blocking mode for blocking movement, alteration or generation of the executable files, and, in the blocking mode, backs up an original before any executable file in the agent system is altered if any executable file is being altered; and a file execution unit which, if there is an execution request for a specific executable file in the agent system, compares the DNA value of the specific executable file with the original DNA value of the specific executable file stored on the database and thereby determines whether to execute the specific executable file, and which restores and executes the backed-up original if the specific executable file is any such altered executable file.
G06F 21/20 - by restricting access to nodes in a computer system or computer network
G06F 9/06 - Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
G06F 9/44 - Arrangements for executing specific programs
98.
APPARATUS, SYSTEM, AND METHOD FOR PREVENTING INFECTION BY MALICIOUS CODE
The invention relates to an apparatus for preventing infection by malicious code, comprising: a database in which files installed in an agent system, DNA values for each portion of the files, and index information for indicating whether each file is normal or malicious are stored; a calculation unit which calculates a DNA value for a portion of a file for which an execution is requested in the agent system; and a file inspection unit which searches the database to extract, in a group, files having the DNA value calculated by the calculation unit, inspects whether an object file is normal or malicious on the basis of the index information on the files extracted in a group, and allows the execution of the object file or makes a request for the calculation of DNA values of other portions which selectively include one portion of the object file.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
G06F 17/30 - Information retrieval; Database structures therefor
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
A spoofing prevention method comprises: receiving an information packet that includes host IP address and MAC address of at least one host to build an IP-MAC database; comparing the IP address and the MAC address included in an out-bound packet that has been transmitted from the host with the IP-MAC address pair of the IP-MAC database; deciding the out-bound packet as a spoofing packet if the IP address and the MAC address of the out-bound packet do not coincide with the IP-MAC address pair of the IP-MAC database; and filtering the spoofing packet.
A signature database updating system comprises: a transaction information generating unit which generates transaction information for each database version on the basis of modification details for each database version, and stores the generated transaction information in a storage unit; a transaction log generating unit compares transaction information of the newest version and transaction information of other versions from among transaction information for each database version to generate transaction logs for each database version, and stores the generated transaction logs to the storage unit; and an updating server device which extracts a transaction log from the storage unit on the basis of database version information upon receipt of database version information from a client terminal, and transmits the extracted transaction log to the client terminal to update the database of the client terminal.
