회사소개

제품

안내

고객지원

Company

Product

Information

Support

Thông tin về công ty

Sản phẩm

Thông tin

Hỗ trợ chung

ZombieZERO Network Inspector

Network’s APT attack detection solution using Sandbox-based virtual system

ZombieZERO Network Inspector

Introduction of ZombieZERO Network Inspector

A device that collects packets on the network, detects / analyzes APT attacks. It is composed of network-based detection system and analysis system using virtual system. It can detect unknown malware by analyzing based on the signature and behavior in 3 steps, and can respond to potential internal threats in advance.

Whole analysis process of ZombieZERO Network Inspector

npcore

Main Features

> Malware analysis system in 3 steps

  • 1) Signature-based analysis : Releases the attached archive file and collects and classifies them by type, and pre-detects using the Anti-virus engine(Bitdefender).
  • ▼ Inside Sandbox (static and dynamic analysis) : Pattern is registered automatically when proved to be malicious.
  • 2) Yara Rule-based static analysis : Analysis of vulnerabilities in source code and scripts using Yara Rule.
  • 3) Behavior-based dynamic analysis : Executes in virtual machine and provides detection result.
  • Generates and distributes patterns of detected malware and treats infected PC.
  • Configures the same Sandbox(virtual machine) environment as user PC’s. (Including license)

> Dual Detection and Block of C&C Server Access

  • Detects C&C access through analysis of outbound URL and URI access patterns.
  • Dual dectection and block C&C server access of internal users. (DNS Sinkhole, TCP Reset)
  • Supports Live-update of C&C database in real-time by interworking with C&C server list from NSOC(NPCore Security Operation Center).

> File collection through mass traffic in and out the network Intelligent analysis Malicious behavior detection

  • Collects incoming files via file transfer protocols such as Web, FTP, SMTP, IMAP, and POP3.
  • Collects / analyzes incoming files with various extensions such as execution, compression and document files.
  • Integrated analysis by session
  • Hazard checking of file’s network behavior (DNS, URL, etc.)
  • Detects ‘Bot net’ communication through related search even in large traffic situation.

> Behavior-based analysis using virtual system

  • Provides virtual machine (Sandbox) composed of static and dynamic analysis system.
  • Analyzes the PE files (DLL, EXE, etc.), compressed files, and document files in various formats. (MS Office, HWP, PDF, etc.)
  • Executes suspicious files using dyanmic analylsis system and analyzes behaviors of process, file, network, memory and provides detection results for malignancy.
  • Analyzes file source code and scripts with static analylsis system(PE-static, document-static) to detect if they include possible attacks exploiting vulnerabilities (injection, web) of software and provide details of the result.
  • Detects malware avioding virtual machine by removing the part detects the virtual machine from the execution file and inducing forced execution.

> Detection and Analysis

  • Analyzes malware through virtual machine in a closed environment.
  • Manually analyzes pattern updates even in an internet-blocked environment.
  • Prohibits the outbound transmission of the analysis file and data and analyzes through virtualization.
  • Registers and detects user-defined patterns using regular strings.
  • Extracts and saves malware files used for infection and malicious behavior.
  • Provides detailed analysis of malicious traffic through PCAP.

> Efficiency

  • Scalability for future increases of personnel or equipment
  • Access to management screen based on web using encryption protocol
  • Blocks IP and URL in mirroring configuration that doesn’t affect the network.
  • Restores blocked files due to false positives.

ZombieZERO Real machine (roadmap)

> A solution that thoroughly detects APT/malware bypassing virtual system

  • Used with virtual system to detects/blocks bypassing APT/malware.
  • Transmits virtual system’s suspicious file to ‘Real machine’ for dual analysis.
  • The Real machine’s environment is configured the same as user PC’s. (including license)
  • Inspector 1000R (with 10 Real machines), Inspector 2000R (with 20 Real machines)

ZombieZERO Network Inspector system block diagram

npcore

Product Specifications (HW or Cloud type)

Model Inspector 300 Inspector 500 Inspector 1000 Inspector 2000 Inspector 5000
Dectector + Analyzer Dectector + Analyzer Dectector + Analyzer Dectector Analyzer Dectector Analyzer
Traffic Coverage ~ 200Mb ~ 300Mb ~ 1Gb ~ 4Gb ~ 20Gb
Coverage of
‘EDR  for APT’
~ 300 User ~ 500 User ~ 1,000 User ~ 5,000 User ~ 10,000 User
malware/min 3 5 10 20 40
CPU Intel Xeon
Quad 3.1GHz
Intel Xeon
Quad 3.1GHz
Intel Xeon
Quad 3.4GHz
Intel Xeon
Quad 3.4GHz
Dual Intel Xeon
Hexa 2.1GHz
Dual Intel Xeon
Hexa 2.1GHz
Dual Intel Xeon
Hexa 2.1GHz
Memory DDR3 16GB DDR3 24GB DDR3 32GB DDR3 32GB DDR3 64GB DDR3 32GB DDR3 128GB
RAID SAS 512GB SAS 512GB SAS 512GB AS 512GB SAS 1TB SAS 512GB SAS 2TB
OS ESXi 5.5 ESXi 5.5 ESXi 5.5 ESXi 5.5 ESXi 5.5 ESXi 5.5 ESXi 5.5
Management
Interface
2 x 10/100/1000Base-T 2 x 10/100/1000Base-T 2 x 10/100/1000Base-T 2 x 10/100/1000Base-T 2 x 10/100/1000Base-T 2 x 10/100/1000Base-T 2 x 10/100/1000Base-T
Network
Interface
4 x 1GbE Copper 4 x 1GbE Copper 4 x 1GbE Copper /
4 x 1GbE SFP
4 x 1GbE SFP
Accelerator
4 x 10GbE SFP
Accelerator
Power Single 500W Redundant 500W Redundant 500W Redundant 500W Redundant 500W Redundant 500W Redundant 500W
Dimension 2.5U 2.5U 2.5U 2.5U 2.5U 2.5U 2.5U
Virtual OS 3EA 5EA 10EA 20EA 40EA

* Includes ZombieZERO Manager when purchasing ZombieZERO Inspector.
* Specifications of H / W may be changed according to the circumstances of the manufacturer.