| 摘要 |
The present invention relates to a security architecture for threat detection in an internal enterprise computation environment, comprising: an information collection unit which comprises a traffic information collection sensor for collecting information on all traffics flowing through a network, a RAW packet collection sensor for storing all traffics transmitted from the network as packets, and an executable file analyzer for recombining and analyzing the contents of an executable file from network packets; an information analysis unit which comprises a log collection unit for collectively storing all logs collected by the information collection unit, a log correlation analyzer for analyzing correlations between logs collected by the log collection unit, and an integrated dashboard for providing a current status of the network analyzed by the log correlation analyzer to security personnel; and an infringement incident management unit which comprises a malicious code infected PC analysis unit for determining the status for malicious codes infection of an internal enterprise network, and an infringement incident response status management unit for storing the respond status for an infringement incident from start to finish. The present invention analyzes all communications from the interior to the exterior using a protocol analyzer, and, in order to detect zero day type malicious codes introduced into the internal enterprise network, collects all executable files from all communications to implement behavior-based analysis, thereby resolving limitations of traditional technologies such as detection dependent on specific protocol, detection dependent on specific service, easy-to-detour signature-based detection, abnormality detection for network infrastructure, and detection specified for service network. |
