Apparatus and method for blocking zombie behavior process
First Claim
1. An apparatus for blocking a zombie behavior process performed in a computer connected to a network, the zombie behavior process being generated in the computer, and attacking external computers, comprising:
- a security policy storage configured to store zombie-behavior-type-specific traffic characteristics and security policies;
a traffic monitor configured to monitor traffic generated on the computer and detect abnormal traffic exceeding a predetermined reference value;
a process and traffic analyzer configured to find an abnormal process causing the abnormal traffic, and detect a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic on the basis of the zombie-behavior-type-specific traffic characteristics stored in the security policy storage; and
a process handler configured to handle the process whose zombie behavior type has been detected according to a security policy defined for the detected zombie behavior type.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are an apparatus and method for blocking a zombie behavior process. The apparatus includes a security policy storage configured to store zombie-behavior-type-specific traffic characteristics and security policies, a traffic monitor configured to monitor traffic generated on the computer and detect abnormal traffic exceeding a predetermined reference value, a process and traffic analyzer configured to find an abnormal process causing the abnormal traffic and detect a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic on the basis of the zombie-behavior-type-specific traffic characteristics stored in the security policy storage, and a process handler configured to handle the process whose zombie behavior type has been detected according to a security policy defined for the detected zombie behavior type. Also, the apparatus according to another aspect includes a system process monitor and handler configured to detect whether or not a file associated with a system process is modified and block the system process.
-
Citations
15 Claims
-
1. An apparatus for blocking a zombie behavior process performed in a computer connected to a network, the zombie behavior process being generated in the computer, and attacking external computers, comprising:
-
a security policy storage configured to store zombie-behavior-type-specific traffic characteristics and security policies; a traffic monitor configured to monitor traffic generated on the computer and detect abnormal traffic exceeding a predetermined reference value; a process and traffic analyzer configured to find an abnormal process causing the abnormal traffic, and detect a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic on the basis of the zombie-behavior-type-specific traffic characteristics stored in the security policy storage; and a process handler configured to handle the process whose zombie behavior type has been detected according to a security policy defined for the detected zombie behavior type. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of blocking a zombie behavior process generated in a computer connected to a network and attacking an external computer, the method being performed in a network driver stage of the computer and comprising:
-
monitoring traffic generated on the computer to detect abnormal traffic exceeding a predetermined reference value; finding an abnormal process causing the abnormal traffic, and finding a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic on the basis of zombie-behavior-type-specific traffic characteristics stored in a security policy storage; when the zombie behavior type of the abnormal process has been found, handling the abnormal process according to a security policy for the zombie behavior type defined in the security policy storage; when the zombie behavior type having a characteristic of the abnormal traffic caused by the abnormal process has not been found, handling the abnormal process according to a security policy for other types defined in the security policy storage; and storing the characteristic of the traffic caused by the process whose zombie behavior type has not been found in a new zombie behavior type storage. - View Dependent Claims (12, 13)
-
-
14. An apparatus for blocking a zombie behavior process performed in a computer connected to a network, the zombie behavior process being generated in the computer and attacking external computers, the apparatus comprising:
-
a system process reference list storage configured to store reference information about system processes used by an operating system of the computer; a system process monitor configured to analyze a system process under execution in the computer, and sub-processes and files associated with the process on the basis of the reference information about the system processes, and determine the system process as a modified process when the system process, the sub-processes, and the files are different from the reference information; and a modified-process handler configured to handle the modified process, the associated sub-processes, and the associated files according to a security policy when the system process monitor detects the modified process. - View Dependent Claims (15)
-
Specification