KR101288103B1 - Method and system for monitoring and cutting off illegal electronic-commerce transaction - Google Patents

Abstract

Disclosed are a method and system for monitoring and blocking illegal e-commerce transactions. In the illegal e-commerce blocking system, which includes an e-commerce web server and an illegal transaction prevention server, a method for blocking illegal transactions includes accessing an e-commerce web server, receiving and installing an information collection agent, and then installing the e-commerce web. As the dedicated application is executed to use the service provided by the server, the information collection agent is driven, and the information collection agent is connected to the illegal transaction prevention server through the first communication channel to obtain at least one of authorized access information and policy information. Determining whether to block the service through the e-commerce web server by passing the blocking event according to the corresponding policy information to the dedicated application, the information collection agent driven on the user terminal collects information and authorized for the user terminal through the second communication channel E-commerce web server with access information And the e-commerce web server transmits log history, collected information and authorized access information according to the access of the user terminal to the illegal transaction prevention server, and the illegal transaction prevention server uses the authorized access information according to whether to block the service. The policy information may be transmitted to the user terminal.

Description

Method and system for monitoring and cutting off illegal electronic-commerce transaction

The present invention relates to a method and system that can detect and block illegal transactions on electronic commerce in real time.

As the Internet develops and the number of Internet users increases, many companies, public institutions, and financial companies provide various and convenient services to their customers by using separate servers for web services or dedicated services.

In the e-commerce service using the Internet, it is necessary to prevent illegal transactions that exploit the anonymity of the Internet. In the past, access information or user terminal (PC, etc.) information was collected / stored and analyzed. Illegal transactions were detected and blocked by statistically using the post processing.

However, illegal traders are increasingly using the time lag or attempting more intelligent e-commerce illegal transactions such as bypass access or tampering with user terminal information.

Republic of Korea Patent Publication No. 2007-0092806 (2007.09.14) discloses a technology that can block the collection and analysis of communication packets transmitted at a specific point.

Republic of Korea Patent Publication 2007-0092806 (2007.09.14)

The present invention is to provide a method and system that can detect and block illegal transactions in real time in order to provide a secure electronic commerce service to a user using an electronic commerce or a company that provides an electronic commerce service.

In addition, the present invention can minimize the waiting time by determining whether to block using the NAT IP address of the user terminal so as not to affect the bypass connection of the proxy server or VPN of the user terminal.

In addition, the present invention has an advantage that the user terminal can determine whether to block before receiving a specific service through the actual e-commerce web server to prevent the damage of the user in advance.

According to an aspect of the present invention, a method for blocking illegal transactions in an e-commerce illegal transaction blocking system including an e-commerce web server and an illegal transaction prevention server is provided.

According to an embodiment of the present invention, in a method for blocking illegal transactions in an e-commerce illegal transaction blocking system including an e-commerce web server and an illegal transaction prevention server, (a) a user terminal accesses the e-commerce web server Receiving and installing an information gathering agent; (b) driving the information collection agent as the user terminal executes a dedicated application for using a service provided by the e-commerce web server, and the illegal transaction prevention server through a first communication channel through the information collection agent; Accessing to obtain at least one of authorized access information and policy information; (c) determining, by the user terminal, whether to block a service through the e-commerce web server by transmitting a blocking event according to the obtained policy information to the dedicated application; (d) transmitting, by the information collecting agent driven to the user terminal, collection information about the user terminal and the authorized access information to the e-commerce web server through a second communication channel; And (e) transmitting, by the e-commerce web server, the log history, the collection information, and the authorized access information according to the access of the user terminal to the illegal transaction prevention server, wherein the illegal transaction prevention server is the authorized agent. An illegal transaction blocking prevention method may be provided by transmitting policy information according to whether a service is blocked to the user terminal using access information.

The first communication channel is a socket secure communication channel, the second communication channel is a packet communication channel, and the public access information is a NAT IP address.

The information collecting agent may include a signature method driven after installation with the consent of the user terminal user and a non-signature method driven without the user consent process.

The signature method may be a script command programmed to drive a signature method plug-in of any one of an ActiveX method, an NPAPI method, and a Java Applet method.

In the step (b), before the acquiring the authorized access information and the policy information, the information collecting agent checks the communication state of the illegal transaction prevention server through the first communication channel by calling socket connect. Further, if the communication state is a communication state, the authorized access information and policy information may be obtained.

The information collecting agent may transmit H DATA or V DATA to the illegal transaction prevention server as a server delivery packet through the first communication channel, and obtain public access information from the illegal transaction prevention server in response thereto.

When the user terminal is configured to use a VPN, the information collection agent may transmit the transmission packet to the illegal transaction prevention server through a real Ethernet rather than a VPN virtual Ethernet.

According to another aspect of the present invention, there is provided an electronic commerce illegal transaction blocking system that can block illegal transactions of a user terminal including an e-commerce web server and an illegal transaction prevention server.

According to an embodiment of the present invention, in an illegal e-commerce blocking system including an e-commerce web server and an illegal transaction prevention server, a dedicated application or a web browser installed to use a service provided by the e-commerce web server may be used by a user. When driven by, driving the information collecting agent, and transmits the transmission packet to the illegal transaction prevention server through the first communication channel through the information collecting agent to obtain the authorized access information and policy information, according to the policy information A user terminal controlling to deliver a blocking event to the dedicated application; And extracting the authorized access information of the user terminal in response to receiving the transmission packet of the information collecting agent driven on the user terminal, and comparing the authorized access information with policy data stored in a database. And an illegal transaction prevention server for generating policy information according to whether a service is blocked and delivering the information to the information collection agent through the first communication channel, wherein the dedicated application is a service provided by the e-commerce web server according to the blocking event. An illegal e-commerce blocking system can be provided, characterized by determining whether to block use.

The information collecting agent may transmit the authorized access information obtained through the first communication channel and the collection information collected about the user terminal to the e-commerce web server through a second communication channel.

In accordance with an embodiment of the present invention, by providing a method and system for monitoring and blocking illegal e-commerce transactions, illegal transactions are performed in real time to provide safe e-commerce services to users who use e-commerce or companies that provide e-commerce services. Can be detected and blocked.

In addition, the present invention can minimize the waiting time by determining whether to block using the NAT IP address of the user terminal so as not to affect the bypass connection of the proxy server or VPN of the user terminal.

In addition, the present invention has an advantage that the user terminal can determine whether to block before receiving a specific service through the actual e-commerce web server to prevent the damage of the user in advance.

1 is a block diagram schematically illustrating a system capable of detecting and blocking illegal transactions of electronic commerce according to a first embodiment of the present invention;
2 is a diagram illustrating the types of information classified according to types and collection methods of collected information according to an embodiment of the present invention.
3 is a view for a technical description of how to obtain the original public IP when using the VPN of the collected information according to an embodiment of the present invention.
4 is a detailed table showing a policy pattern, an application method, and an action method for illegal transactions in a real-time detection / blocking technology according to an embodiment of the present invention.
Figure 5 is an illustration for explaining the application method and screen for the customer specific security services "e-commerce dedicated PC designated service" and "overseas IP blocking service" that can be additionally obtained by the present invention.
FIG. 6 is a flowchart illustrating a detailed description of an application procedure and an actual system for FIG. 5.
FIG. 7 is a diagram illustrating an example of a system configuration for providing a service of FIG. 5. FIG.
8 is a block diagram schematically illustrating a system capable of detecting and blocking illegal transactions in electronic commerce according to a second embodiment of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The present invention is capable of various modifications and various embodiments, and specific embodiments are illustrated in the drawings and described in detail in the detailed description. It is to be understood, however, that the invention is not to be limited to the specific embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

The terms first, second, etc. may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another.

The terminology used herein is for the purpose of describing particular example embodiments only and is not intended to be limiting of the present invention. Singular expressions include plural expressions unless the context clearly indicates otherwise. In this application, the terms "comprise" or "have" are intended to indicate that there is a feature, number, step, operation, component, part, or combination thereof described in the specification, and one or more other features. It is to be understood that the present invention does not exclude the possibility of the presence or the addition of numbers, steps, operations, components, components, or a combination thereof.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

[Description of FIGS. 1 to 7]

1 is a block diagram schematically showing a system capable of detecting and blocking illegal transactions of an electronic commerce according to a first embodiment of the present invention, and FIG. 2 is a diagram illustrating types and types of information collected according to an embodiment of the present invention. FIG. 3 is a diagram illustrating classification of types of information according to a collection method, and FIG. 3 is a view for technical description of a method of obtaining an original public IP when a VPN is used among collection information according to an embodiment of the present invention, and FIG. FIG. 5 is a diagram illustrating a detailed table of a policy pattern, an application method, and a countermeasure method for illegal transactions in a real-time detection / blocking technology according to an embodiment of FIG. 5, and FIG. 5 is a customer individual security service additionally obtained by the present invention. FIG. 6 is a view illustrating an application method and a screen for “e-commerce dedicated PC designated service” and “overseas IP blocking service”, and FIG. FIG. 7 is a flowchart illustrating a detailed description of a system that is actually implemented, and FIG. 7 is a diagram illustrating an example of a system configuration for providing a service of FIG. 5.

Referring to FIG. 1, a system capable of detecting and blocking illegal transactions of e-commerce (hereinafter referred to as "e-commerce illegal transaction detection and blocking system" for convenience of understanding and explanation) may be referred to as a user terminal ( 100), the e-commerce web server 200 and the illegal transaction prevention server 300 is configured to include.

The user terminal 100 is connected to the e-commerce web server 200 through a communication network to receive a variety of services provided by the e-commerce web server 200. Here, the user terminal 100 downloads and installs at least one application installation file for collecting a plurality of information from the e-commerce web server 200 in order to receive the service provided by the e-commerce web server 200. Can be.

In the present specification, for convenience of understanding and explanation, an application downloaded and installed by the user terminal 100 to collect information through the e-commerce web server 200 will be described as an information collection agent.

In addition, the user terminal 100 may separately download at least one dedicated application for use of various services provided by the e-commerce web server 200 and install it on the user terminal 100. For example, the dedicated application may be a home trading system (HTS) for stock trading. Of course, the dedicated application may be applied in the same manner in addition to the separate application installed for using a specific service provided by the e-commerce web server 200.

In addition, the information collection agent may be installed in the user terminal 100 in a signature manner or may be installed in a non-signature manner. Of course, a plurality of information collection agents may be installed in the user terminal 100 in a signature manner and a non-signature manner at the same time. In this specification, it is assumed that a plurality of information collection agents are installed in each of a signature method and a non-signature method. Therefore, it should be understood that the information collecting agent is understood to include both the signature method and the non-signature method, unless otherwise described herein.

In the present specification, the signature type information collecting agent refers to an agent installed and driven on the user terminal 100 with the consent of the user when the information collecting agent is installed in the user terminal 100. For example, the signature gathering agent may be implemented with JAVA / FLEX and JAVA Applet.

In addition, the non-signature information collection agent refers to an agent that can be run immediately without the user's consent or separate installation process. For example, Flash, MMS, RTSP, simple JAVA Applet, white-night, Ajax, etc. Can be implemented.

In the present specification, the information collection agent is provided on the user terminal 100 provided through the e-commerce web server, but will be described on the user terminal 100, in addition to being controlled by the illegal transaction prevention server 300 on the user terminal 100 Of course, it can be installed in.

For example, when the user terminal 100 accesses the e-commerce web server 200 for the first time, the user terminal 100 may be installed through the e-commerce web server 200.

The information collection agent collects information collected through a plurality of collection channels (hereinafter referred to as "terminal collection information" for convenience of understanding and explanation) to the e-commerce web server 200 and to prevent illegal transactions. Each server 300 may transmit.

The information collection agent may be connected to the e-commerce web server 200 through the first channel to transmit collected information to the e-commerce web server 200 or receive various services from the e-commerce web server 200. have. Here, the first channel may be a packet communication channel.

On the other hand, the information collection agent may form a secure communication with the illegal transaction prevention server 300 through the second channel, and transmit the access information of the corresponding user terminal 100 through the second channel. Here, the second channel may be a socket communication channel.

1, the information collecting agent includes a terminal information collecting module 131, an encryption module 135, and a transmission control module 137.

The terminal information collection module 131 performs a function of collecting various information about the user terminal 100. Information collected through the terminal information collection module 131 is illustrated in FIG. 2. That is, the terminal information collection module 131 may include various pieces of information (eg, access information (e-commerce web server access date and time, e-commerce web server) necessary for determining whether the user terminal 100 is illegally accessed or illegally traded. Connection IP Address, VPN Client IP Address, VPN Gateway IP Address, Proxy IP Address, Public IP Address, etc., Ethernet Information, MAC Information, Hardware Information, Terminal Information (e.g. Phone Number, IMSI, IMEI, USIM Information, etc.) Of course, the information collected by the terminal information collection module 131 may further include other information in addition to the information shown in FIG.

The encryption module 135 encrypts the collection information collected by the terminal information collection module 131 according to a predetermined method. For example, the encryption module 135 may include the Rivest Shamir Adleman (RSA), Seed, and Data Encryption Standard (3DES).

The transmission control module 137 controls to transmit the encrypted collection information to the illegal transaction prevention server 300 through the first channel and the second channel.

For example, the transmission control module 137 checks the communication state of the illegal transaction prevention server 300 through the first communication path of the first channel, and if the communication state is a communicable state (ie, “alive”), encrypts it. The collected information may be controlled to be transmitted to the illegal transaction prevention server 300 collectively through the first communication path.

In addition, when the communication state of the illegal transaction prevention server 300 is in a state where communication is impossible (or whether communication is unconfirmed), the transmission control module 137 transmits the collected information encrypted through the second channel to the e-commerce web server. After the transmission to the 200, it may be controlled to transmit to the illegal transaction prevention server 300 through the e-commerce web server 200.

The second channel is a packet communication path for connection between a web browser or a specific application (app) installed on the user terminal 100 and the e-commerce web server 200, and communication is always possible, but the first channel is a user terminal ( Communication may not be possible depending on the network environment (for example, firewall setting, etc.) to which 100) belongs.

Despite this reason, the reason why the encrypted collection information is first transmitted through the first channel is as follows.

First, even if a user accesses the connection path by using a proxy server through a browser of the user terminal 100, the original public IP address may be determined due to the characteristics of the socket communication.

Second, the data transmitted to the e-commerce web server 200 through the second channel is reduced, and as a result, the load of the e-commerce web server 200 may be reduced.

An e-commerce web server 200 according to an embodiment of the present invention includes an infrastructure such as a web service unit 210, a web server / WAS / DBMS, etc. that provides an information page for providing and modifying main information such as login and account transfer. The server framework 220 performing the providing function and the collected information in the e-commerce server dedicated or web server 200 (hereinafter referred to as the e-commerce web server) for the security policy according to an embodiment of the present invention in real time Collection processing and blocking information receiving unit 250 for interlocking and processing is included.

The collection processing and blocking information receiving unit 250 is a collection processing command unit 251 consisting of a command set file for controlling the information collection agent in the user terminal 100, the real-time multi-channel collection information transmission and reception unit 340 The collection / blocking information transmitting / receiving unit 252, which performs the function of transmitting and receiving the blocking information from the real-time collecting information analysis and policy detection / blocking unit 350, and the real-time collection information analysis and policy detecting / blocking unit 500 The detection block policy and key storage unit 253 performs a function of synchronizing and storing the policy data managed in the own policy DB.

Illegal transaction prevention server 300 according to an embodiment of the present invention includes a real-time multi-channel collection information transmission and reception unit 340 and a real-time collection information analysis and policy detection / blocking unit (collection information analysis and blocking unit 350).

The collected information analysis and blocking unit 350 includes means for storing the collected information in a log and policy database and comparing the policy data with the policy data of the database to determine whether to block.

The real-time multi-channel collection information transmitting and receiving unit 340 according to an embodiment of the present invention performs a function of receiving processing so as not to lose a lot of information from the A Channel 190 and the collection processing and blocking information receiving unit 250. The channel collection information integrated transmission and reception unit 341, the collection information encryption / decryption unit 342 for encrypting the information and decrypting the received information, and the administrator user I / F 343 for the administrator to monitor and manage the collection information. Include.

In addition, the real-time collection information analysis and policy detection / blocking unit 350 receives the information from a plurality of real-time multi-channel collection information transmission and reception unit 340 to perform the function of collecting and collecting the integrated information real-time collecting unit 351, User terminal policy decision and execution unit 352 that analyzes the detected information to determine whether to detect or block, a real-time log and policy database 353 that stores collected information and policy-related information, and the administrator collects the information. And an administrator User I / F 354 that can monitor the analysis results.

The information collected from the real-time multichannel collection information transmission / reception unit 340 is immediately transmitted to the real-time collection information analysis and policy detection / blocking unit 350 to store the collection information in which integrity is maintained, and simultaneously perform necessary policy application processing. After implementation, the content determined by the policy is transmitted to the e-commerce web server 200 so that the detection / blocking process can be processed in real time when a transaction is attempted by the user terminal.

"E-commerce illegal transaction blocking method and system" according to an embodiment of the present invention is a form that can be configured as a system independent from the existing e-commerce web server, so that any load that may occur during information storage and policy processing that occurs in real time It is clear that the invention is satisfactory for both existing service users and service providers because it has little effect on the existing e-commerce web server (ie, the additional load on the existing e-commerce web server is minimized).

Referring to the operation of each component and the interaction between each component according to an embodiment of the present invention in detail, the user terminal 100 is a web browser for web access 110 or a dedicated terminal installation program for the purpose of electronic commerce ( 120) (eg, HTS, Home Trading System) or both to access the e-commerce web server 200. In this case, the response web page of the e-commerce web server 200 includes a script (JavaScript) file and a command corresponding to the collection processing command unit 251. The browser 110 executes this command to install the agent. It collects information and transmits collected information.

The command script also contains a variety of important information, such as the Class ID, which is a unique number that refers to the Agent component, the path of the Agent installation file, the version of the Agent, and the first collection address, which is the address of the server to which to collect the collected information. For example, second collection address information, which is an address of a server to be resent when a primary communication fails.

First of all, the Agent checks the Agent installed in the user terminal 100 by using the Agent Ready command. If the version is lower than the version specified by the command even if the Agent is not installed or installed, the new Agent is downloaded and installed to collect the information gathering agent. Make it ready for use. (It is classified as either signed or non-signed agent based on whether the user asks for the user's consent at the time of installation.) When the information gathering agent is ready for use, the browser executes a subsequent script command to give this agent a run command. After collecting information of the user terminal 100 and encrypting it in the terminal information encryption module 135, the terminal information transmission control unit 137 starts the transmission of the collected information. At this time, the type of information collected is shown in FIG. 2.

In an embodiment of the present invention, if the user terminal 100 is connected to the e-commerce web server 200 for the purpose of e-commerce (for example, login, payment, account transfer, bulletin board, recertification screen, etc.) When the web server 200 is in the form of a web service server, a screen is provided from the web service unit 210 and a command script is provided from the collection processing command unit 251 at the same time, and the corresponding commands in the user terminal 100 are configured. As it runs, the information gathering agent is installed and running.

The collection processing command unit 251 is composed of a script file and instructions to be executed in the access web browser 110 in the user terminal 100.

In an embodiment of the present invention, the collection / blocking information transmitting / receiving unit 252 immediately transmits the real-time multichannel collection information transmitting / receiving unit 340 with respect to the collection information transmitted through the B channel 191 to the collecting paths 193 and 194. send.

At this time, if encryption is required between the network between the e-commerce web server 200 including the collection processing and blocking information receiving unit 250 and the real-time multi-channel collection information transmitting and receiving unit 340 (this section is all the internal network of the company usually It does not encrypt it, but also encrypts it according to the company's policy.) As described above, the encryption and decryption process works.

The detection blocking policy and the KEY storage unit 253 according to an embodiment of the present invention includes a real-time policy pattern registration DB and the terminal integrated information storage unit 353, real-time collection information analysis and policy detection / blocking unit 350 Provided by the real-time policy pattern registration DB and the terminal integrated information storage unit 353 in order to provide a seamless e-commerce service with no obstacles (in order to provide a seamless e-commerce service without failure) in case the network to the equipment or the corresponding HW server fails. Synchronize one or more policy patterns of the critical policy database (see FIG. 4) with the change.

Therefore, the real-time collection information analysis and policy detection / blocking unit 350 can provide a real-time blocking services illegal transactions.

For example, in the case of the overseas IP blocking service, the ID of the user who applied for the service and the domestic IP band information are stored in the real-time policy pattern registration DB and the terminal integrated information storage unit 353 and updated from time to time. By always synchronizing to the blocking policy and KEY storage unit 253, even if a failure occurs in the real-time collection information analysis and policy detection / blocking unit 350, it is possible to determine whether to block alone in the collection / blocking information transmission and reception unit 252. .

In one embodiment of the present invention, the real-time multi-channel collection information transmitting and receiving unit 340 is configured to decode in real time all the collection information transmitted in the two channels and three communication paths from the user terminal 100, the decoded information When the real-time collection information analysis and policy detection / blocking unit 350 is transmitted there is configured to be integrated into one collection information (Record).

In one embodiment of the present invention, the real-time multi-channel collection information transmission and reception unit 340 and the real-time collection information analysis and policy detection / blocking unit 350 in case the amount of information collected per second is gradually increased or exploded Each module can be separated and operated in a separate H / W server, and the integrated information real-time collecting unit as a module having a Queue function to double or triple the real-time multi-channel collection information transmission / reception unit 340 ( 351).

The integrated information real-time collector 351 uses a queue having a FIFO (First-In-First-Out) data structure so that multiple real-time multichannel collection information transceivers 340 simultaneously transmit information without confusion. Receive and in turn allow subsequent processing. By using the FIFO queue, even if multiple real-time multi-channel acquisition information transmission / reception units 340 simultaneously transmit information or the total amount of information transmission is exploding, the receiving / processing side can be processed without losing information or even losing some information. .

The user terminal policy determination and execution unit 352 is divided into a real time policy determination unit and a real time detection / blocking policy execution unit, and comparatively analyzes the first collected information as shown in FIG. 4 according to the real time policy pattern registration DB 353. The real-time policy decision unit module is configured to judge.

 Compared and determined by the real-time policy determination module, the corresponding event log is stored in the DB by the real-time detection / blocking policy execution unit, and when the policy is set to automatic blocking, the collection / blocking information transmission / reception unit 252 is used. The web service unit 210 was immediately blocked in real time, and if the policy is set to automatic detection, it is configured to notify the administrator by SMS, email, management system screen, etc. through the system administrator user interface (343, 354). It was.

To enable real-time blocking, a few seconds from the moment the user terminal 100 accesses the important screen of the e-commerce web server 200 for the purpose of electronic commerce, until the blocking is made in the web service unit 210 (for example, 1 ~ 1). Must be able to process within 3 seconds). This requires a technique that significantly shortens the typical processing time.

In one embodiment of the present invention was configured to use the following three methods.

First, it is possible to classify cases where the original public IP can be identified without further investigation and to deal with them quickly.

Conventionally, the A channel 190 waited for information about the public IP due to the possibility of IP detour of the user terminal 100, and the A channel 190 has an unstable transmission speed depending on the state of the network to which the user terminal 100 belongs. There was a problem that sometimes takes time or communication itself is impossible.

However, in the present invention, when the information collecting agent confirms in advance that the user terminal 100 does not use an IP bypassing technique such as a proxy or a VPN (to check whether the proxy is used, check the OS registry and determine whether to use the VPN). To check, check if the description of the PC communication adapter device includes a specific string such as TAP, VPN, LZIP, SOCKv5, etc.) Priority information necessary for blocking or not (eg public IP, user ID, MAC address, etc.) ) Is transmitted to the collection processing and blocking information receiver 250 through the No. 2 collection path 193 of the B channel 191.

After the real-time multi-channel collection information transmission and reception unit 340, the real-time collection information analysis and policy detection / blocking unit 350 waits for integration with the remaining information (No. 1 (192) or No. 3 (194)) It is configured to be able to quickly determine whether to block or not by analyzing alone.

Since the detour access rate such as proxy and VPN is about 0.5% on average, this invention allows 99.5% of transactions to be immediately blocked in real time without being affected by unstable A channel 190.

Second, when the terminal information transmission control unit 137 sends the collected information to the server through the No.1 collection path 192 of the A channel 190 and the No.2 collection path 193 of the B channel 191 to asynchronous communication. By using the Asynchronous I / O or Non-Blocking I / O method, the communication latency is eliminated.

The synchronous communication method is a method of waiting without performing any work until the completion of a communication request. The synchronous communication method is easy to implement, but it takes a lot of time because the communication proceeds in sequence in a situation where various communication is performed in parallel.

However, the asynchronous communication method is a method of performing a subsequent task after a communication request and even before the execution is completed. Although a plurality of tasks can be performed quickly at the same time, the difficulty of implementation is high.

Third, information necessary for determining whether to block (eg, set policy, country IP band table, blocking flag, etc.) is stored and used in main memory (main memory) to enable high-speed processing even when the visitor is congested.

In this way, by using a hash table in memory to be able to search and create / delete at high speed, it is configured to respond much faster than the method involving disk I / O such as database or file.

In addition, in order to prevent the memory usage from becoming too large, it is configured to delete unnecessary information periodically (period of checking every 40 seconds).

By utilizing the memory efficiently, as in the embodiment of the present invention, even if a low-cost Intel server is used, a structure capable of processing 200 to 300 cases per second can be obtained.

Even if the real-time detection / blocking is performed quickly by a sophisticated policy, it will be in vain if the user terminal 100 does not prevent the bypass or the tampering attack. First of all, in preparation for all bypass methods (Proxy, VPN, remote access, etc.) used to modulate the public IP address, the original public IP address of the user terminal 100 was obtained and configured to be used for policy determination.

In addition, since the MAC address of the user terminal 100 can be easily modulated, when collecting MAC address information, the MAC address is collected and used to determine the original MAC address information.

As a result, a method for preventing illegal traders from accessing the electronic commerce web server 200 by hiding or avoiding their information can be prevented at the source.

VPN (Virtual Private Network) is one of the most threatening IP bypass technologies in all e-commerce, and the original method of the user terminal 100 using the tunneling function provided by the VPN gateway server (Fig. 3). Since the IP can be hidden (the e-commerce web server 200 can only know the IP of the VPN gateway), it is often used maliciously. These VPN implementations are diverse, and protocols such as PPTP, GRE, L2TP, and SSL VPN are used.

When the user terminal is connected to the VPN driver in FIG. 3 (410), the information collected by the plug-in driving command from the information collection agent is also bypassed through the VPN driver as shown in FIG. 3 (430). Information is sent to 300.

In one embodiment of the present invention, after performing the A channel 190 communication, the protocol name (PPTP, GRE, L2TP, SSL VPN, etc.) described above in the description of the communication adapter for active connection in the user terminal 100. If any of these are included, it is determined that a VPN bypass connection is possible.

When the information collected in FIG. 3 is bypassed through the VPN driver and transmitted to the illegal transaction prevention server 300 (420), the communication channel is changed as follows, and as shown in FIG. 190) by performing the communication once more (430) to obtain the original public IP.

That is, the information gathering agent finds the network driver that was originally used before the VPN in addition to the network driver that the user terminal 100 is currently using (i.e., connected to the external VPN gateway), and then uses the GetAdaptersInfo function to configure the IP_ADAPTER_INFO structure. Information of the adapters and finds one of the adapters that has both a private IP and a gateway IP) and selects and transmits the real-time multi-channel collection information by performing the A channel 190 communication once more with the driver interface (420). Part 400 is to perform a procedure (see Figure 3) to collect both the public IP address after the VPN bypass and before the bypass.

In this case, in order to communicate with the original network driver separately from the VPN driver used for communication between the browser and the web server, the agent uses a technique of temporarily changing the routing table (list defining network communication paths) of the user terminal 100. This causes the external Internet communication, which previously went out with the VPN driver, to be changed to the original network driver with the socket communication of FIG. 3 (430), and in this real-time multi-channel collection information transmission / reception unit 340 through this path The collected public IP is the original public IP before bypass.

When using Proxy, another IP bypass method, the original public IP can be obtained by the following procedure.

First, the information gathering agent queries the registry containing OS setting information of the user terminal 100 to determine whether the proxy setting is made in the browser. In this case, if the proxy setting is made, the original public IP may be obtained from the real-time multichannel collection information transmission / reception unit 400 using the A channel 190 communication.

In order to determine whether the agent has bypassed using a remote connection,

Check the port number in a specific registry (HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ Wds \ rdpwd \ Tds \ tcp) and use the GetTcpTable function to get the status information of this port. It can be seen. Refer to the network interface card (NIC) part of the registry to determine whether the MAC has been modified and the original MAC address.

The system supporting real-time detection and blocking of illegal e-commerce transactions according to an embodiment of the present invention described above may be additionally installed and implemented in any structure such as a current web service structure or a client-server structure. .

That is, the illegal transaction prevention server 300 obtains terminal specific information and various information about the user from the user terminal 100 and the e-commerce web server 200, respectively, and analyzes the same in the corresponding e-commerce web server 200. It allows you to take steps to detect and block according to the blocking policy you set.

Referring to FIG. 4, an e-commerce service company may enhance an image as a company that can securely trade by providing a security service for e-commerce to individual customers by utilizing a real-time detection and blocking policy based on registered information.

Service forms that can be additionally provided to customers using one embodiment of the present invention include the following.

The first is “E-Commerce Dedicated PC Designation Service.” According to the application screen (FIG. 5) and the procedure (FIG. 6) provided by the e-commerce company, the customer himself or herself is one or more of his / her own computer or his / her computer or portable computer. By registering this trusted computer in advance and not trading with other computers, you can prevent your users from stealing important information or hacking goods by stealing their personal information. In this case, the registered computer is identified by the MAC address, so the ability to obtain the original MAC address before the modulation is a prerequisite.

The second is the “Overseas IP Blocking Service”, which is a service that protects users from accessing overseas when they apply for use only in computers in Korea. This allows customers to block the access of foreign hackers.

To determine whether the accessor's public IP is a domestic IP, the domestic IP allocation information published by KRNIC (Korea Internet Security Agency) is used.In this case, when the accessor uses the IP bypass technique, the original public IP is used. Only then can we determine the correct country. These additional security services provide customers with the added protection that traditional security equipment or service servers can't provide and the added benefit of enabling secure e-commerce with no hacking risk. However, it is obvious that this service should be prepared in case an e-commerce company requests a visit in connection with offline.

FIG. 7 is a block diagram illustrating an example of a system configuration for providing a service of FIG. 5. In the first step, the registration / cancellation application step, the e-commerce company provides the registration / cancellation screen, and the customer applies for or cancels the service himself and the result of the application / cancellation is stored in the company DB.

In the second step, the transaction execution step, the B channel (191) information sent from the user terminal 100 to the e-commerce server is a JSP module (a Java Server Page module that receives and processes information in the form of HTML Form) and the processing program of the company. It is delivered to the collection daemon via. The collection daemon transmits both this information and the A channel 190 information received directly from the user terminal 100 to the analysis daemon, so that the analysis daemon can generate a flag to block.

The analysis daemon according to an embodiment of the present invention compares the collected original MAC address with a pre-registered MAC address (in the case of “E-Commerce Dedicated PC Designation Service”), or the collected original public IP is assigned to the domestic IP. Determine flag (in case of “Overseas IP Blocking Service”) to determine whether to block and set Flag in memory. The blocking flag generated in this way is replicated in real time to the e-commerce web server 200 by the synchronization daemon in the e-commerce web server, and the blocking flag information is maintained in the memory in the e-commerce web server. ) The processing program can refer to this flag information and take immediate blocking action if necessary.

[Description of Fig. 8]

8 is a block diagram schematically illustrating a system capable of detecting and blocking illegal transactions of electronic commerce according to a second embodiment of the present invention.

Referring to FIG. 8, the illegal e-commerce blocking system includes a user terminal 100, an e-commerce web server 200, and an illegal transaction prevention server 300.

Hereinafter, the description of the components and functions described with reference to FIG. 1 will be omitted and only different parts will be described.

When the user terminal 100 executes a dedicated application provided in the user terminal 100 to provide a specific service provided by the e-commerce web server 200, an information collecting agent is driven to illegally trade through the first communication channel. Access to the prevention server 300 may collect the authorized access information. Here, the public access information is the public IP address of the user terminal 100, and may be obtained by the illegal transaction prevention server 300 regardless of whether the detour connection through the proxy server and the VPN. In this case, the information collecting agent may further obtain policy information from the illegal transaction prevention server 300 in addition to the authorized access information. Accordingly, the information collecting agent analyzes the corresponding policy information and delivers a blocking event to a dedicated application (or dedicated software) to block access to the e-commerce web server 200 in advance.

In more detail, the information collecting agent of the user terminal 100 transmits the H data or the V data to the illegal transaction prevention server 300 as a delivery packet to the server through the first communication channel, and the illegal transaction prevention server transmits the delivery packet ( The public access information (NAT IP address) may be transmitted to the information gathering agent in response to the H data or V data).

For example, when the user terminal 100 is set as the VPN, the information collection agent does not transmit the forwarded packet to the illegal transaction prevention server 300 through the VPN virtual Ethernet, but the illegal transaction prevention server 300 through the actual Ethernet. Send packets forwarded to the network. Accordingly, the illegal transaction prevention server 300 may obtain authorized access information of the actual user terminal 100 even if the user terminal 100 uses a VPN.

To this end, the illegal transaction prevention server 300 further includes an IP module 360 for transmitting authorized access information, as shown in FIG. 8. When the IP module 360 receives the H data or the V data from the information collecting agent driven by the user terminal 100, the IP module 360 transmits the public access information (NAT IP address) of the user terminal 100 in response thereto. To perform.

In this specification, the public access information (NAT IP address) refers to an IP address obtained through socket communication. That is, in general, the IP address obtained through the web communication may be different from the IP address of the actual user terminal 100 according to the proxy server or VPN setting. Accordingly, the information gathering agent according to an embodiment of the present invention is driven when a dedicated application is run for the use of a specific service by the user through the e-commerce web server 200, so that the first communication before the actual service is provided. By accessing the illegal transaction prevention server 300 through a channel, it is possible to obtain the authorized access information and policy information in advance. Accordingly, the information collection agent may deliver the blocking event to the dedicated application according to the policy information, and the dedicated application may determine whether to block the service according to the input of the blocking event. As a result, the user can determine whether to block before receiving the actual important service from the actual e-commerce web server 200, significantly reducing the waiting time, and has the advantage of preventing the user from damage due to illegal transactions in advance. have.

When the information collection agent of the user terminal 100 obtains the authorized access information according to the transmission of the H data or the V data through the first communication channel, the electronic commerce together with the collected information collected for the user terminal 100 including the same. It may be transmitted to the web server 200. Here, the collected information, for example, information of the user terminal 100 (CPU, network interface, MAC, IP, Hard Disk, Keyboard, OS information, browser information, security software installation and operation, etc.) and electronic commerce It may be at least one of account information (login ID) obtained through the web server 200, whether the login is successful, or the URL accessed.

In this case, the information collecting agent of the user terminal 100 may transmit the authorized access information and the collected information obtained through the second communication channel to the e-commerce web server 200. As described above, the first communication channel may be a socket communication channel, and the second communication channel may be a packet communication channel. Also, the first communication channel and the second communication channel can communicate according to asynchronous data communication.

Accordingly, the e-commerce web server 200 may transmit the collected information and the authorized access information collected from the user terminal 100 to the illegal transaction prevention server 300, which will later be determined in policy determination of the user terminal 100. May be used.

Meanwhile, a method of blocking illegal transactions in an electronic commerce illegal transaction blocking system including an e-commerce web server and an illegal transaction prevention server according to an embodiment of the present invention may be performed through various electronically processed means. It can be implemented in the form of instructions and written to a storage medium. The storage medium may include program instructions, data files, data structures, etc. alone or in combination.

Program instructions to be recorded on the storage medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of software. Examples of storage media include magnetic media such as hard disks, floppy disks and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic-optical media such as floppy disks. hardware devices specifically configured to store and execute program instructions such as magneto-optical media and ROM, RAM, flash memory, and the like. In addition, the above-described medium may be a transmission medium such as an optical or metal wire, a waveguide, or the like including a carrier wave for transmitting a signal specifying a program command, a data structure, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as devices for processing information electronically using an interpreter or the like, for example, a high-level language code that can be executed by a computer.

The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention as defined in the appended claims. It will be understood that the invention may be varied and varied without departing from the scope of the invention.

Claims (14)

In the method for blocking illegal transactions in the e-commerce illegal transaction blocking system including an e-commerce web server and an illegal transaction prevention server,
(a) a user terminal accessing the e-commerce web server and receiving and installing an information collection agent;
(b) running the information gathering agent as the user terminal executes a dedicated application for using a service provided by the e-commerce web server, and calls socket connect through the information gathering agent to establish a socket secure communication channel. 1 confirms the communication state of the illegal transaction prevention server through a communication channel, and if the communication state is a communication state, transmits H data or V data to the illegal transaction prevention server as a server forwarding packet, and transmits from the illegal transaction prevention server. Obtaining public access information and policy information;
(c) determining, by the user terminal, whether to block a service through the e-commerce web server by transmitting a blocking event according to the obtained policy information to the dedicated application;
(d) transmitting the collection information and the authorized access information for the user terminal to the e-commerce web server through the second communication channel, the information collection agent driven in the user terminal, the packet communication channel; The information is a NAT IP address; And
(e) transmitting, by the e-commerce web server, the log history, the collection information, and the authorized access information according to the access of the user terminal to the illegal transaction prevention server,
Acquiring the authorized access information and policy information from the illegal transaction prevention server, the illegal transaction prevention server receives the authorized access information of the user terminal in response to receiving the transmission packet of the information collection agent driven on the user terminal. Extracting and comparing the authorized access information with the policy data stored in the database and generating the policy information according to whether the user terminal is blocked or not and delivering the policy information to the information collecting agent through the first communication channel;
The illegal transaction prevention server transmits the policy information according to whether to block the service using the authorized access information to the user terminal,
When the user terminal is configured to use a VPN, the information collection agent controls to transmit the transmission packet to the illegal transaction prevention server through a real Ethernet instead of a VPN virtual Ethernet,
The information gathering agent includes a signature method driven after installation with the consent of the user terminal user and a non-signature method driven without the user's consent process.
delete delete delete The method according to claim 1,
The signature method is characterized in that the illegal transaction blocking prevention method characterized in that the script command programmed to drive any one of the signature method command line plug-in ActiveX, NPAPI method, Java Applet method.
delete delete delete In the e-commerce illegal transaction blocking system comprising an e-commerce web server and an illegal transaction prevention server,
When a dedicated application or a web browser installed for use of a service provided by the e-commerce web server is driven by a user, the information collection agent is started and a socket is connected through a first communication channel, which is a socket secure communication channel, through the information collection agent. Call connect to check the communication status of the illegal transaction prevention server, and if the communication is possible, transmit V data or H data to the illegal transaction prevention server in a server transmission packet to obtain authorized access information and policy information, and the policy A user terminal which controls to transmit a blocking event according to the information to the dedicated application and transmits the collected information collected through the second communication channel, which is a packet communication channel, to the e-commerce web server. The public access information is a NAT IP. being; And
In response to receiving the transmission packet of the information collecting agent driven in the user terminal, extract the authorized access information of the user terminal in response, and block the service of the user terminal by comparing the authorized access information with the policy data stored in the database It includes an illegal transaction prevention server for generating policy information according to whether or not to deliver to the information collection agent through the first communication channel,
The information collecting agent includes a signature method driven after installation with the consent of the user terminal user and a non-signature method driven without the user's consent process.
The dedicated application determines whether to block the use of services provided by the e-commerce web server according to the blocking event,
The information collecting agent, when the user terminal is set to use a VPN, e-commerce illegal transaction blocking system, characterized in that to control the transmission packet to the illegal traffic prevention server via the real Ethernet, not the VPN virtual Ethernet. delete delete delete delete delete

Images