Apparatus and method for blocking zombie behavior process
First Claim
1. An apparatus for blocking a zombie behavior process performed in a computer connected to a network, the zombie behavior process being generated in the computer, and attacking external computers, comprising:
- an enterprise security management (ESM) server;
a security policy storage receiving security policies including one or more zombie behavior type, traffic threshold values related to a specific zombie behavior type, an allowed times exceeding traffic threshold value related to the specific zombie behavior type, and blocking policies related to the specific zombie behavior type from the ESM server, the security policy storage storing the security policies;
a traffic monitor monitoring traffic generated on the computer and detecting abnormal traffic exceeding a predetermined reference value in a network driver stage of the computer while monitoring all traffic generated on the computer;
a process and traffic analyzer detecting an abnormal process causing the abnormal traffic, and detecting a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic related to the abnormal process on the basis of the traffic threshold values and the allowed times exceeding traffic threshold value;
a process handler handling the abnormal process, whose zombie behavior type has been detected on the basis of a blocking policy defined for the detected zombie behavior type;
an event log storage storing an event log generated in association with the abnormal process and transmitting the event log to the EMS server; and
a new zombie type storage storing traffic characteristics of a new abnormal process whose zombie behavior type has not been detected and transmitting the traffic characteristics of the new abnormal process to the EMS server;
wherein the analyzed abnormal traffic exceeds both the traffic threshold values and the allowed times exceeding traffic threshold value; and
wherein the security policies are updated based on the event log and the traffic characteristics of the new abnormal process by the EMS server;
wherein the apparatus is disposed in a network driver stage of the computer connected to the network;
wherein the zombie behavior type includes other types of behaviors; and
when the zombie behavior type of the new abnormal process has not been detected, a security policy defined for the other types of behaviors is applied to the abnormal process.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are an apparatus and method for blocking a zombie behavior process. The apparatus includes a security policy storage configured to store zombie-behavior-type-specific traffic characteristics and security policies, a traffic monitor configured to monitor traffic generated on the computer and detect abnormal traffic exceeding a predetermined reference value, a process and traffic analyzer configured to find an abnormal process causing the abnormal traffic and detect a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic on the basis of the zombie-behavior-type-specific traffic characteristics stored in the security policy storage, and a process handler configured to handle the process whose zombie behavior type has been detected according to a security policy defined for the detected zombie behavior type. Also, the apparatus according to another aspect includes a system process monitor and handler configured to detect whether or not a file associated with a system process is modified and block the system process.
-
Citations
6 Claims
-
1. An apparatus for blocking a zombie behavior process performed in a computer connected to a network, the zombie behavior process being generated in the computer, and attacking external computers, comprising:
-
an enterprise security management (ESM) server; a security policy storage receiving security policies including one or more zombie behavior type, traffic threshold values related to a specific zombie behavior type, an allowed times exceeding traffic threshold value related to the specific zombie behavior type, and blocking policies related to the specific zombie behavior type from the ESM server, the security policy storage storing the security policies; a traffic monitor monitoring traffic generated on the computer and detecting abnormal traffic exceeding a predetermined reference value in a network driver stage of the computer while monitoring all traffic generated on the computer; a process and traffic analyzer detecting an abnormal process causing the abnormal traffic, and detecting a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic related to the abnormal process on the basis of the traffic threshold values and the allowed times exceeding traffic threshold value; a process handler handling the abnormal process, whose zombie behavior type has been detected on the basis of a blocking policy defined for the detected zombie behavior type; an event log storage storing an event log generated in association with the abnormal process and transmitting the event log to the EMS server; and a new zombie type storage storing traffic characteristics of a new abnormal process whose zombie behavior type has not been detected and transmitting the traffic characteristics of the new abnormal process to the EMS server; wherein the analyzed abnormal traffic exceeds both the traffic threshold values and the allowed times exceeding traffic threshold value; and wherein the security policies are updated based on the event log and the traffic characteristics of the new abnormal process by the EMS server; wherein the apparatus is disposed in a network driver stage of the computer connected to the network; wherein the zombie behavior type includes other types of behaviors; and when the zombie behavior type of the new abnormal process has not been detected, a security policy defined for the other types of behaviors is applied to the abnormal process. - View Dependent Claims (2, 3, 4)
-
-
5. A method of blocking a zombie behavior process generated in a computer connected to a network and attacking an external computer, the method being performed in a network driver stage of the computer and comprising:
-
receiving security policies including one or more zombie behavior type, traffic threshold values related to specific zombie behavior type, an allowed times exceeding traffic threshold value related to specific zombie behavior type, and blocking policies related to specific zombie behavior type from an enterprise security management (ESM) server; storing the security policies to a security policy storage; monitoring traffic generated on the computer to detect abnormal traffic exceeding a predetermined reference value in a network driver stage of the computer while monitoring all traffic generated on the computer connected to the network; detecting an abnormal process causing the abnormal traffic, and detecting a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic related to the abnormal process on the basis of the traffic threshold values and the allowed times exceeding traffic threshold value stored in the security policy storage; when the zombie behavior type of the abnormal process has been found, handling the abnormal process on the basis of the blocking policies for the zombie behavior type defined in the security policy storage, and transmitting an event log generated in association with the abnormal process to the EMS server; and when the zombie behavior type having a characteristic of the abnormal traffic caused by a new abnormal process has not been detected, handling the new abnormal process on the basis of the security policies for other types defined in the security policy storage, and transmitting the traffic characteristics of the new abnormal process to the EMS server; wherein the analyzed abnormal traffic exceeds both the traffic threshold values and the allowed times exceeding traffic threshold value; wherein the security policies are updated based on the event log and the traffic characteristics of the new abnormal process by the EMS server; wherein the zombie behavior type includes other types of behaviors; and when the zombie behavior type of the new abnormal process has not been detected, a security policy defined for the other types of behaviors is applied to the abnormal process. - View Dependent Claims (6)
-
Specification