METHOD FOR REAL-TIME ENCRYPTION PACKET SEPARATION AND IDENTIFICATION IN HIGH SPEED TRAFFIC AND INTERWORKING WITH YARA DETECTION ON IDENTIFIED PACKET AND APPARATUS THEREOF

摘要

The present invention relates to a packet-based threat detection device that provides visibility of encrypted traffic in conjunction with YARA detection technology. The device of the present invention is implemented based on a hardware module including a Field Programmable Gate Array (FPGA) and memory. In addition, the packet-based threat detection apparatus of the present invention detects a threat by applying an encryption traffic decryption engine 110 that decrypts encrypted network traffic data using a certificate, and a predetermined intrusion detection rule on the decrypted traffic data. With respect to the blocking intrusion detection engine 120 and the traffic data for which no threat is detected by the intrusion detection engine 110, the traffic data is not combined to generate a complete file, but a YARA rule is applied on a packet basis. Includes a packet-based YARA detection engine (130) that redetects threats.