What technology area does this patent fall under?

Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.

When was this patent published?

Publication date Thu Jul 14 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Cyber black box system and method thereof

US2016205118A1 · US · A1

Patent metadata
Field	Value
Publication number	US-2016205118-A1
Application number	US-201514937498-A
Country	US
Kind code	A1
Filing date	Nov 10, 2015
Priority date	Jan 13, 2015
Publication date	Jul 14, 2016
Grant date	—

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Provided is a cyber black box system. The cyber black box system includes a data collector configured to collect entire packet data, flow data, and a portable executable (PE) file from monitored network traffic and a server configured to analyze a cause of a cyber intrusion event and reproduce the cyber intrusion event, based on the collected entire packet data, flow data, and PE file.

First claim

Opening claim text (preview).

What is claimed is: 1 . A method of collecting evidence data of a cyber intrusion event, the method comprising: extracting entire packet data from monitored network traffic; analyzing the extracted entire packet data based on an Internet protocol (IP), a port, and a protocol to extract, as flow data, a bundle of packet data having the same feature; extracting, as a portable executable (PE) file, a bundle of packet data having a PE format from the extracted entire packet data; temporarily storing, in a buffer, and collecting the extracted entire packet data, flow data, and PE file; applying a hash function to each of the temporarily stored entire packet data, flow data, and PE file to generate a hash value; and storing, as the evidence data, the generated hash value and the temporarily stored entire packet data, flow data, and PE file in a storage unit. 2 . The method of claim 1 , wherein the collecting comprises storing the extracted entire packet data, flow data, and PE file in the buffer in units of a predetermined collection time. 3 . The method of claim 1 , wherein the bundle of the packet data is a file having a packet capture (PCAP) format. 4 . The method of claim 3 , further comprising: encoding the extracted entire packet data, flow data, and PE file which are temporarily stored in the buffer, wherein the encoding comprises encoding the extracted entire packet data, flow data, and PE file in units of the file. 5 . The method of claim 1 , wherein the storing comprises storing the evidence data in the storage unit that supports a write once read many (WORM) function. 6 . The method of claim 1 , wherein the storing comprises further storing metadata of the PE file in the storage unit. 7 . A cyber black box system that collects evidence data of a cyber intrusion event and analyzes a cause of the cyber intrusion event, based on the collected evidence data, the cyber black box system comprising: a data collector configured to collect entire packet data, flow data, and a portable executable (PE) file from monitored network traffic; and a server configured to analyze the cause of the cyber intrusion event and reproduce the cyber intrusion event, based on the collected entire packet data, flow data, and PE file. 8 . The cyber black box system of claim 7 , wherein the data collector comprises: a packet extraction unit configured to extract the entire packet data from the monitored network traffic; a flow data extraction unit configured to analyze the extracted entire packet data based on an Internet protocol (IP), a port, and a protocol to extract, as flow data, packet data having the same feature; a PE file extraction unit configured to extract, as the PE file, packet data having a PE format from the extracted entire packet data; and a storage unit configured to store the entire packet data, the flow data, and the PE file as the evidence data. 9 . The cyber black box system of claim 8 , further comprising: an encoding unit configured to encode the extracted entire packet data, flow data, and PE file, wherein the storage unit stores the encoded entire packet data, flow data, and PE file. 10 . The cyber black box system of claim 8 , wherein the storage unit is a storage medium configured to support a write once read many (WORM) function. 11 . The cyber black box system of claim 8 , further comprising: a buffer configured to temporarily store the extracted entire packet data, flow data, and PE file in units of a certain collection time. 12 . The cyber black box system of claim 11 , wherein the storage unit stores the entire packet data, the flow data, and the PE file which are temporarily stored in the buffer in units of the certain collection time. 13 . The cyber black box system of claim 8 , wherein the storage unit stores the entire packet data, the flow data, and the PE file as a file having a packet capture (PCAP) format. 14 . The cyber black box system of claim 8 , further comprising: a hash value generation unit configured to apply a hash function to each of the extracted entire packet data, flow data, and PE file to generate a hash value thereof. 15 . The cyber black box system of claim 14 , wherein the storage unit stores the hash value as the evidence data.

Assignees

Korea Electronics Telecomm

Inventors

Kim Jong Hyun

Classifications

H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
H04L63/1408Primary
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
H04L63/145
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
H04L2463/146
Tracing the source of attacks · CPC title
H04L63/1425
Traffic logging, e.g. anomaly detection · CPC title

Patent family

Related publications grouped by family.

View patent family 56368362

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2016205118A1 cover?: Provided is a cyber black box system. The cyber black box system includes a data collector configured to collect entire packet data, flow data, and a portable executable (PE) file from monitored network traffic and a server configured to analyze a cause of a cyber intrusion event and reproduce the cyber intrusion event, based on the collected entire packet data, flow data, and PE file.
Who is the assignee on this patent?: Korea Electronics Telecomm
What technology area does this patent fall under?: Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
When was this patent published?: Publication date Thu Jul 14 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).