KR102495370B1 - System for controlling transmission and reception of file of application based on proxy and method thereof - Google Patents

Abstract

A gateway according to one embodiment disclosed in the present document comprises: a communication circuit; a processor operatively connected to the communication circuitry; and a memory operatively connected to the processor and storing a proxy server, wherein when executed by the processor, the memory receives a data flow including file input-output (IO) information indicating whether the gateway requires encryption when transmitting a file of a node from an external server or decryption when receiving the file and stores instructions for processing a service processing request or a service processing request result through the proxy server based on whether file information is included in the service processing request or service processing request result of the node. In the present invention, the transmitted and received file can be selectively encrypted or decrypted according to the policy of a controller.

Description

System for controlling file transmission and reception of application based on proxy and method therefor

Embodiments disclosed in this document relate to a system and method for controlling file transmission and reception of an application based on a proxy.

Multiple devices may communicate data over a network. For example, the terminal may transmit or receive data with a server through the Internet. The network may include a private network such as an intranet as well as a public network such as the Internet.

The terminal performs communication with the server by utilizing IP (Internet Protocol)-based TCP (Transmission Control Protocol) or UDP (User Datagram Protocol), and controls the connection between the source IP and destination IP authorized in TCP or UDP technology. Firewall technology may be used. In the case of such IP communication, since there is a problem that IP can be forged or tampered with, in order to solve this problem, virtual private network (VPN) technology and tunneling technology for encrypting data packets between a terminal and a server are used.

When using a VPN based on tunneling technology that is created at the terminal level or in units of IPs assigned to the terminal, there is a vulnerability in which unallowed or unsafe applications access the unallowed destination network through always-connected tunneling after initial authentication. Therefore, security incidents due to infiltration of various malware and ransomware are increasing. In order to solve this problem, an application connectivity control technology that allows only allowed applications to access the allowed network is applied to identify applications that are fundamental communication subjects and block access of disallowed applications in advance.

For example, in a state in which an allowed application can access a permitted network, it may not be possible to control the application's behavior of receiving or transmitting a file through the network. DLP (Data Loss Prevention) exists as a technology to solve this problem, and DLP prevents unauthorized media (e.g., USB or removable storage devices) from being connected or preventing sharing of a specific folder on the network. or, when a specific application selects a file for file transfer, prevents the file from being transferred by blocking the file from being selected, or when file input/output of a specific application occurs or when tracking file input/output, the user Data leakage can be prevented by removing the file input/output handle when the file does not have the file input/output authority.

Such DLP technology may not be able to prevent unauthorized media from being connected in an area where physical security control is unavailable and in a telecommuting environment using personally owned terminals where there is a limit to the application of security policies. Furthermore, the DLP technology that tracks a specific action may not be able to prevent, for example, a non-user malicious code directly loading and transmitting a file without a file selection window when the specific action is not performed. In addition, since the DLP technology, which tracks file input/output of a specific application, tracks file input/output targeting a specific application and blocks it collectively, it may be difficult to allow file transmission on a network connected by the application. In the case of DLP, which provides a way to release file input/output restrictions by identifying the access address window of the Internet browser, in the case of an application that does not have an access address window, network access information cannot be traced, so there are limitations in controlling file reception and transmission. There may be.

In addition, when uploading a file to a work server that exists on a controllable network by a terminal, file encryption is performed through a service application (or web application), or the file is uploaded without encryption processing, and the network and physical You can prevent files from being leaked through access control. In order to solve this problem, there is DRM (Digital Rights Management) technology as a technology for encrypting a file and decrypting the file only for an object that can read the file.

However, there are limits to network access control in environments such as cloud environments and software as a service applications, and defects in service applications (e.g., zero day attacks) are always exposed to the Internet due to the nature of the environment. )), brute force attack, or credential stuffing), or unauthorized access by the cloud or service provider (e.g. data mining and machine learning) to ensure the safety of uploaded files. may not be able to In addition, since DRM technology encrypts files uniformly, only files uploaded to the cloud are encrypted, and files are not encrypted when uploaded to a business server that exists on a controllable network. Depending on this, selective encryption may not be possible.

Therefore, when a target application uploads a file to a cloud environment that needs to protect the file, a technology that can encrypt the file uploaded to the cloud in a form that cannot be decrypted even if the file uploaded to the cloud is downloaded by a target other than the target having ownership is required. When a file is uploaded to a business server that exists on a network that is necessary and can be controlled by the target application, it is an optional file that does not perform separate encryption at the terminal so that the service application that exists on the server can process its own encryption. Encryption technology is required.

Various embodiments disclosed in this document are intended to provide a system and method for solving the above problems in a network environment.

A gateway according to an embodiment disclosed herein includes communication circuitry, a processor operatively connected to the communication circuitry, and a memory operatively connected to the processor and storing a proxy server, When the memory is executed by the processor, the gateway receives a data flow including file IO (input output) information indicating whether encryption is required when a file is transmitted by a node or decryption is required when a file is received from an external server, Through the proxy server, instructions for processing the service processing request or the service processing request result based on whether file information is included in the service processing request or the service processing request result of the node may be stored.

A server according to an embodiment disclosed in this document includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a database, the memory comprising: When executed by the processor, the server receives a network access request including identification information of a target application of the node trying to access the network of the service server and network information of the service server from an access control application of the node, and the database Based on this, it is checked whether the target application can access the service server, and if the connection is possible, it corresponds to the network information of the service server, and whether encryption is required when the file is transmitted from the node or whether decryption is required when the file is received. A data flow including file IO (input output) information representing is generated and transmitted to the node and gateway, and when connection is not possible, commands for transmitting result information indicating connection failure to the node may be stored.

A method of operating a gateway according to an embodiment disclosed in this document receives a data flow including file IO (input output) information indicating whether encryption is required when a node transmits a file or decryption is required when a file is received from an external server. and processing the service processing request or the service processing request result based on whether file information is included in the service processing request of the node or the service processing request result through the proxy server of the gateway. can

A method of operating a server according to an embodiment disclosed in this document includes a network access request including identification information of a target application of a node trying to access a network of a service server and network information of the service server from an access control application of a node. An operation of receiving an operation, an operation of checking whether or not access to the service server of the target application is possible based on the database, and corresponding to network information of the service server, whether or not encryption is required when transmitting a file from the node or receiving a file. and generating a data flow including file IO (input output) information indicating whether decoding is necessary and transmitting the data flow to the node and the gateway.

According to the embodiments disclosed in this document, it is possible to control file reception and transmission by application and network by checking whether to allow file input/output of the identified target and allowing file input/output only to the permitted connection target. do.

According to the embodiments disclosed in this document, a service request between an authenticated terminal and a service server and file information included in a service request result may be monitored through a proxy included in a gateway, and file encryption or decryption may be controlled.

According to the embodiments disclosed in this document, files transmitted and received may be selectively encrypted or decrypted according to the policy of the controller.

In addition to this, various effects identified directly or indirectly through this document may be provided.

1 illustrates an architecture within a network environment in accordance with various embodiments.
2 is a functional block diagram illustrating a database stored in a controller according to various embodiments.
3 illustrates control flow information, data flow information, and file table information among information included in a database according to various embodiments.
4 is a functional block diagram of a node in accordance with various embodiments.
5 describes an operation of controlling transmission of a data packet according to various embodiments.
6 shows a signal flow diagram for controller connection according to various embodiments.
7 illustrates a signal flow diagram for user authentication according to various embodiments.
8 illustrates a user interface screen for accessing a controller according to various embodiments.
9 illustrates a signal flow diagram for network access according to various embodiments.
10 illustrates a signal flow diagram for processing of a service processing request according to various embodiments.
11 illustrates a signal flow diagram for receiving a service processing request result according to various embodiments.
12 illustrates a signal flow diagram for transmitting a service request processing log and a rejection log according to various embodiments.
13 shows a signal flow diagram for control flow update according to various embodiments.
14 illustrates a signal flow diagram for control flow cancellation according to various embodiments.
15 shows a signal flow diagram for data flow cancellation according to various embodiments.

Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, it should be understood that this is not intended to limit the present invention to the specific embodiments, and includes various modifications, equivalents, and/or alternatives of the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one item or a plurality of items, unless the context clearly dictates otherwise. In this document, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A, Each of the phrases such as "at least one of B or C" may include any one of the items listed together in the corresponding one of the phrases, or all possible combinations thereof. Terms such as "first", "second", or "first" or "secondary" may simply be used to distinguish a given component from other corresponding components, and may be used to refer to a given component in another aspect (eg, importance or order) is not limited. A (e.g., first) component is said to be "coupled" or "connected" to another (e.g., second) component, with or without the terms "functionally" or "communicatively." When mentioned, it means that the certain component may be connected to the other component directly (eg by wire), wirelessly, or through a third component.

Each component (eg, module or program) of the components described in this document may include singular or plural entities. According to various embodiments, one or more components or operations among corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each of the plurality of components identically or similarly to those performed by a corresponding component of the plurality of components prior to the integration. . According to various embodiments, operations performed by modules, programs, or other components are executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations are executed in a different order, omitted, or , or one or more other operations may be added.

The term "module" used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrally constructed component or a minimal unit of components or a portion thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of the present document may be implemented as software (eg, a program or application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one command among one or more commands stored from a storage medium and execute it. This enables the device to be operated to perform at least one function according to the at least one command invoked. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-temporary' only means that the storage medium is a tangible device and does not contain a signal (e.g. electromagnetic wave), and this term refers to the case where data is stored semi-permanently in the storage medium. It does not discriminate when it is temporarily stored.

Methods according to various embodiments disclosed in this document may be included and provided in a computer program product. Computer program products may be traded between sellers and buyers as commodities. A computer program product is distributed in the form of a device-readable storage medium (eg compact disc read only memory (CD-ROM)), or through an application store or between two user devices (eg smartphones). It can be distributed (e.g., downloaded or uploaded) directly or online. In the case of online distribution, at least part of the computer program product may be temporarily stored or temporarily created in a device-readable storage medium such as a manufacturer's server, an application store server, or a relay server's memory.

1 illustrates an architecture within a network environment according to various embodiments.

A node 201-1 or 201-2 shown in FIG. 1 may be various types of devices capable of performing data communication. For example, the node 201-1 or 201-2 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, a VR (virtual reality) devices, or home appliances, but is not limited to the aforementioned devices. For example, node 201-1 or 201-2 may include a server or gateway capable of transmitting data packets via an application. The node 201-1 or 201-2 may also be referred to as an 'electronic device' or a 'terminal'.

Node 201-1 or 201-2 may each store at least one target application and access control application. For example, node 201-1 may store target application 211-1 and access control application 212-1. Node 201-2 may store target application 211-2 and access control application 212-2.

Each of the target applications 211-1 or 211-2 transmits a data packet to the service server 205-1 or 205-2 through the gateway 203 under the control of the access control application 212-1 or 212-2. Or conversely, data packets can be received.

Some of the targeted applications (211-1 and 211-2) are allowed and/or secured applications, such as web browsers or business applications, while others are disallowed programs (e.g., malware, ransomware, and other unacceptable applications). unsecured applications) or insecure malicious programs (applications that have been infected with malware, forged or tampered with). According to embodiments, the access control application 212-1 or 212-2 identifies a program (or a target application or a process of the target application) requesting data packet transmission, and sends the data packet of the disallowed program to the node ( Transmission to the outside of 201-1 or 201-2) can be prevented. In addition, according to embodiments, the access control application (212-1 or 212-2) is through the channel (220-1 or 220-2) between the access control application (212-1 or 212-2) and the gateway 203 Access to the service server 205-1 or 205-2 of an unauthorized program may be blocked and the corresponding program may be quarantined. A channel 220-1 or 220-2 may be referred to as a 'secure session'.

For example, before the target application 211-1 or 211-2 according to the embodiment communicates with the service server 205-1 or 205-2, the access control application 212-1 or 212-2 is a controller From 202, whether or not access is possible is checked, and if access is possible, authentication with the gateway 203 may be performed through a data packet authenticated by the controller 202. Upon completion of authentication, the access control application 212-1 or 212-2 may create a channel 220-1 or 220-2 with the gateway 203.

According to various embodiments, the node 201-1 or 201-2 is an access control application for managing network access of the target application 211-1 or 211-2 stored in the node 201-1 or 201-2. (212-1 or 212-2) and a network driver (not shown). For example, when an access event to the service server 205-1 or 205-2 of the target application 211-1 or 211-2 stored in the node 201-1 or 201-2 occurs, the access control application 212-1 or 212-2 may determine whether the target application 211-1 or 211-2 is accessible. If the target application 211-1 or 211-2 is accessible, the access control application 212-1 or 212-2 transmits a data packet to the gateway 203 over the channel 220-1 or 220-2. can The access control application 212-1 or 212-2 may control transmission of data packets in the node 201-1 or 201-2 through a kernel including an operating system and a network driver.

The controller 202 may be, for example, a server (or cloud server). The controller 202 manages data transmission between the node 201-1 or 201-2, the gateway 203, and the service server 205-1 or 205-2 to ensure reliable data transmission within the network environment. can For example, the controller 202 allows the network access of the authorized node 201-1 or 201-2 (or the access control application 212-1 or 212-2) through policy information or blacklist information. can do.

In addition, the controller 202 mediates the creation of the channel 220-1 or 220-2 between the access control application 212-1 or 212-2 and the gateway 203, or the node 201-1 or 201-2 ), the gateway 203, or the channel 220-1 or 220-2 may be removed (or retrieved) according to a security event collected from an interlocked security system (not shown). The access control application (212-1 or 212-2) can communicate with the service server (205-1 or 205-2) only through the channel (220-1 or 220-2) authorized by the controller 202, If the authorized channel 220-1 or 220-2 does not exist, network access of the node 201-1 or 201-2 and the access control application 212-1 or 212-2 may be blocked. In one embodiment, the target application 211-1 or 211-2 communicates with the service server 205-1 or 205-2 only through the channel 220-1 or 220-2 authorized by the controller 202. And, if the authorized channel (220-1 or 220-2) does not exist, the network access of the target application (211-1 or 211-2) is connected to the access control application (212-1 or 212-2), the controller ( 202) or can be blocked from the gateway 203. According to one embodiment, the controller 202 may perform various operations (eg, registration, authorization, authentication, In order to perform update and termination), control data packets may be transmitted and received with the access control application 212-1 or 212-2. A flow through which the control data packet is transmitted (eg, 230-1 or 230-2) may be referred to as a 'control flow'.

The gateway 203 may be located at a boundary of a network to which the node 201-1 or 201-2 belongs or a boundary of a network to which the service server 205-1 or 205-2 belongs. For example, the gateway 203 may be located at the boundary of an intranet or cloud. According to one embodiment, the gateway 203 may be connected to the controller 202 on a cloud basis. The gateway 203 may forward only authorized data packets among data packets received from the access control application 212-1 or 212-2 to the service server 205-1 or 205-2. A flow in which data packets are transmitted between the access control application 212-1 or 212-2 and the gateway 203 (eg, 240-1 or 240-2) may be referred to as a 'data flow'. .

Data flows can be created not only on a node or IP basis, but also on a more granular basis (e.g., on an application basis). The gateway 203 authenticates the access control application 212-1 or 212-2 before creating a channel 220-1 or 220-2 between the access control application 212-1 or 212-2 and the gateway 203. is performed, and among the data packets transmitted from the access control application 212-1 or 212-2, only the data packets transmitted through the channel 220-1 or 220-2 are sent to the service server 205-1 or 205-2. By forwarding, indiscriminate network access can be blocked in advance.

The gateway 203 may relay service processing between the authenticated node 201-1 or 201-2 and the service server 205-1 or 205-2 through the proxy server 231 included in the gateway 203. there is. The gateway 203 monitors file information included in the service processing request and the service processing request result through the proxy server 231, and generates a file based on the file IO information included in the data flow 240-1 or 240-2. Encryption and decryption can be controlled. The proxy server 231 may also be referred to as 'proxy'. The proxy server 231 may be a program or application.

2 is a functional block diagram showing a database stored in the controller 202 according to various embodiments, and FIG. 3 shows control flow information 340, data flow information 350, and file table information among information included in the database ( 360).

Referring to FIG. 2 , the controller 202 may store databases 311 to 320 in the memory 330 for control of network access and data transmission. 2 shows only the memory 330, the controller 202 may be an external electronic device (e.g., the node 201-1 or 201-2 of FIG. 1, the gateway 203, or the service server 205-1 or 205- 2)) further includes a communication circuit (eg, the communication circuit 430 of FIG. 4 ) and a processor (eg, the processor 410 of FIG. 4 ) for controlling the overall operation of the controller 202 for performing communication with the can do. Since the administrator can connect to the controller 202 and set a connection-oriented policy for controlling access between the access control application 212-1 or 212-2 and the service server 205-1 or 205-2, the service unit You can control network access more precisely and safely than managing sessions in .

The access policy database 311 may include information about networks and/or services to which the identified networks, nodes, or applications may access. For example, the controller 202 receives a network access request from the access control application 212-1 or 212-2, the network identified based on the policy of the access policy database 311 (eg, the node 201-1 or 212-2). network to which 201-2 belongs), node 201-1 or 201-2, user (eg, user of node 201-1 or 201-2), and/or application (eg, node 201-1 Alternatively, it may be determined whether the target application 211-1 or 211-2 included in 201-2) can access the service server 205-1 or 205-2. In one embodiment, the controller 202 may create a whitelist of target applications accessible to a specific service (eg, IP and port) based on the access policy database 311 .

The channel policy database 312 connects the node 201-1 or 201-2 and the service server 205-1 or 201-2 (or destination IP and port) on the access path according to the policy of the access policy database 311. It may include information (eg, authentication information, encryption algorithm, and/or Tunnel End Point IP) necessary for channel creation with the gateway 203 existing between The channel policy database 312 may include information for use (eg, whether IP information allocated to nodes is collected and whether alternative processing is performed) when a channel connected in advance through another gateway exists between access paths. there is.

The channel table 318 may include a dedicated channel IP assigned to node 201-1 or 201-2 and channel creation information.

The service policy database 313 connects the node 201-1 or 201-2 and the service server 205-1 or 201-2 (or destination IP and port) on the access path according to the policy of the access policy database 311. The node 201-1 or 201-2 relays a service processing request with the service server 205-1 or 205-2 through the proxy server 231 included in the gateway 203 existing between the domains Information required to pass through the proxy server 231 when attempting access to the address (e.g., domain address resolution information, certificate required for accessing the domain, and/or whether to return the service processing request result as failure information when data flow check fails, or information on whether to redirect to another URL).

The file IO policy database 314 is associated with an access policy and may include information for establishing a file IO policy for the target application 211-1 or 211-2. For example, the file IO policy database 314 may include information on whether to decrypt a file when the target application 211-1 or 211-2 receives it, and information on whether to encrypt the file when transmitting it. In addition, the file IO policy database 314 may include algorithms used for encryption or decryption and/or encryption or decryption key generation information.

The blacklist policy database 315 is a target identified through analysis of the risk, occurrence cycle, and/or behavior of security events among security events periodically collected by the node 201-1 or 201-2 or the gateway 203 ( Example: A blacklist registration policy for blocking access of at least one of a node identifier (ID), an IP address, a media access control (MAC) address, or a user ID) may be indicated.

The blacklist database 320 may include a list of objects blocked by the blacklist policy database 315 . For example, if the identification information of the node 201-1 or 201-2 requesting network access is included in the blacklist database 320, the controller 202 rejects the network access request, thereby blocking the node 201-1 or 201 -2) can be isolated.

The control flow table 316 is an example of a session table for managing a flow of control data packets generated between the connection control application 212-1 or 212-2 and the controller 202 (ie, control flow).

For example, referring to FIG. 3 , when the access control application 212-1 or 212-2 successfully accesses the controller 202, control flow information 340 and control flow ID 342 (or 'control flow Also referred to as 'identification information') may be generated by the controller 202 . The control flow information 340 may include identification information 344 indicating at least one of an IP identified during controller access and authentication, a node, an application, or an object additionally identified through association with a service server. For example, when a network access request from the access control application 212-1 or 212-2 is received, the controller 202 converts the control flow ID and identification information included in the access request to the control flow information 340. Whether access control application 212-1 or 212-2 can connect to service server 205-1 or 205-2 and channel with gateway 203 by mapping with flow ID 342 and identification information 344 It is possible to determine whether or not to create a data flow for creation. State information 346 may indicate various states such as creation, authentication, renewal, termination, and the like of the control flow.

According to one embodiment, since the control flow has an expiration time, the node 201 needs to update the expiration time of the control flow based on the time information 348, and if the expiration time is not updated for a certain period of time, the control flow ( Alternatively, the control flow information 340 may be removed. In addition, immediate access is blocked according to a security event collected from the node 201-1 or 201-2, the access control application 212-1 or 212-2, another security application (not shown), or the gateway 203. The controller 202 may remove the control flow if it is determined that it is necessary or if a connection termination request is received from them. When the control flow is removed, the associated data flow is also removed, and the gateway 203 connects the access control application 212-1 or 212-2 or the service server 205-1 or 205 of the target application 211-1 or 211-2. Access to -2) can be blocked.

The data flow table 317 is a flow (e.g., data flow ) is a table for managing Data flows can be created in TCP sessions, applications, or more granular units. The data flow table 316 may include an application ID, destination IP address, and/or service port for identifying whether a data packet transmitted from a source is an authorized data packet.

Referring to FIG. 3 , data flow information 350 may include a data flow ID 351 for identifying a data flow and a control flow ID 352 when the data flow is dependent on the control flow. Since the node 201-1 or 201-2 or access control application 212-1 or 212-2 can create channels and sessions with one or more gateways, the controller 202 determines the control flow ID assigned to the transmitting entity. 352 can manage the data flow dependent thereon. In addition, the data flow information 350 indicates whether a channel has been created between the access control application 212-1 or 212-2 and the gateway 203, and the service server 205-1 or 205-1 through the proxy server 231. 205-2), data based on URL information and domain information to control service requests according to source IP and destination IP of data packets, service port information, protocol information, certificate information, and service request path (URL) Inspection target information 353 for determining packet forwarding may be included. In addition, the data flow information 350 may include state information 356 indicating whether the data flow is in a usable and valid state. Also, the data flow information 350 may further include file IO information 354 . The file IO information 354 may include whether or not decryption is required when a file is received, whether encryption is required when a file is transmitted, and exception information for file IO processing. The file IO information 354 may include target information (or policy information) to which control information for file encryption or decryption is applied (domain information, URL information, and/or file type information). In addition, the data flow information 350 may further include encryption/decryption information 355 for encrypting or decrypting a file. For example, the encryption/decryption information 355 may include information on whether to generate an encryption key in a gateway or a controller, an encryption key, and an encryption algorithm when a file is encrypted when a file is transmitted.

The file table 319 is a database for managing file encryption or decryption and may include file table information 360 .

Referring to FIG. 3 , the file table information 360 may store examination target information 362 for identifying an examination target in which transmission and reception of files have occurred in the gateway 203 . The inspection target information 362 may include, for example, a source IP and a destination IP, service port information, protocol information, certificate information, a service request path (URL), and domain information. Also, the file table information 360 may include file information 364 for searching for an encryption key or a decryption key of a file. The file information 364 may include unique information and identification information of the file (eg, file name, partial content or header information of the file, hash information, and/or signature information). Also, the file table information 360 may further include encryption/decryption information 366. The encryption/decryption information 366 may include a key used for file encryption, a key used for decryption, an encryption algorithm type, and a decryption algorithm type. The file table information 360 may be managed by the controller 202 and gateway 203 .

4 shows a functional block diagram of a node 201-1 or 201-2 according to various embodiments. At least some of the configurations shown in FIG. 4 may be applied to the controller 202, the gateway 203, or the service server 205-1 or 205-2.

Referring to FIG. 4 , a node 201-1 or 201-2 may include a processor 410, a memory 420, and a communication circuit 430. According to one embodiment, the node 201-1 or 201-2 may further include a display 440 to provide a user interface.

The processor 410 may control the overall operation of the node. In various embodiments, the processor 410 may include a single processor core or may include a plurality of processor cores. For example, the processor 410 may include multi-cores such as dual-core, quad-core, and hexa-core. According to embodiments, the processor 410 may further include an internal or external cache memory. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or part of processor 410 is electrically connected to other components (eg, memory 420, communication circuit 430, or display 440) in node 201-1 or 201-2. ) or operatively coupled with or connected to. The processor 410 may receive commands from other components, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, command, or signal based on the received message, data, command, or signal. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420 , communication circuitry 430 , or display 440 .

The processor 410 may process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals in the memory 420 to execute or control a program.

The memory 420 may store commands for controlling nodes, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver. The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). can include The nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, and the like. The memory 420 uses a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS). can include more.

According to one embodiment, the memory 420 may store the target application 211-1 or 211-2 and the access control application 212-1 or 212-2 of FIG. 1 . The access control application 212-1 or 212-2 may perform a network connection with the gateway 203 and creation of a channel 220-1 or 220-2, and a control flow creation and update function with the controller 202. . To this end, the access control application 212-1 or 212-2 may include one or more security modules. In one embodiment, the memory 420 may store control flow information 340 , data flow information 350 , and file table information 360 of FIG. 3 .

In one embodiment, the target application 211-1 or 211-2 may include one or more security modules to create a channel 220-1 or 220-2 with the gateway 203.

The communication circuit 430 establishes a wired or wireless communication connection between the node 201-1 or 201-2 and an external electronic device (eg, the controller 202 or the gateway 203), and performs communication through the established connection. can support According to one embodiment, the communication circuit 430 may be a wireless communication circuit (eg, cellular communication circuit, short-range wireless communication circuit, or global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (eg, a local area network (LAN)). ) communication circuit, or power line communication circuit), and using a corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a cellular network, a long-distance communication such as the Internet, or a computer network It may communicate with an external electronic device through a network. The various types of communication circuits 430 described above may be implemented as a single chip or may be implemented as separate chips.

The display 440 may output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured as an integral touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or below the display 440 .

5 describes an operation of controlling transmission of a data packet according to various embodiments.

Referring to FIG. 5, the access control application 212 detects a network access request to the service server 205 from the target application 211 included in the node 201, and the node 201 or the access control application 212 ) can determine whether or not the controller 202 is in a connected state. When the node 201 or the access control application 212 is not connected to the controller 202, the access control application 212 may block transmission of data packets in a kernel or network driver included in an operating system. The access control application 212 can only transmit data packets for requesting access to the controller 202, and no data packets are transmitted to the service server 205 when not connected to the controller 202. The access control application 212 accesses the controller 202 to perform identification and authentication on the target application 211, and after the authentication is performed, the service server of the target application 211 queries the controller 202 for access network information. It is possible to check whether access to 205 is possible, and only authorized applications can access the service server 205 . Through the access control application 212, the node 201 can block access of malicious applications (eg, ransomware or malware) in advance in the application layer among the 7 layers of open system interconnection (OSI). there is.

In one embodiment, transmission from the access control application 212 if the access control application 212 has not been authenticated by the gateway 203 or if a channel between the access control application 212 and the gateway 203 has not been created. Data packets to be transmitted may be blocked by the gateway 203. Depending on the embodiment, even if the access control application 212 is not authenticated by the gateway 203, a data packet transmitted from the access control application 212 may not be blocked by the gateway 203.

According to another embodiment, if the access control application 212 is not installed on the node 201 or if a malicious application bypasses control of the access control application 212, unauthorized data packets may be transmitted from the node 201. there is. In this case, since the gateway 203 present at the boundary of the network blocks data packets that are received as an unauthorized secure session and data packets that do not have a data flow, the data packets transmitted from the node 201 (e.g., TCP session data packets for generation) may not reach the service server 205 . In other words, node 201 can be isolated from service server 205 .

6 shows a signal flow diagram for controller connection according to various embodiments.

Since the node 201 needs to be authorized by the controller 202 to access the network, the access control application 212 of the node 201 requests the controller 202 to create a control flow so that the node 201 You can try to connect to the controller of

Referring to FIG. 6 , in operation 605 , node 201 may detect a controller connection event. For example, when connection control application 212 is installed and/or executed within node 201, node 201 may detect that a connection to controller 202 is being requested.

At operation 610 , node 201 may request controller connection from controller 202 . For example, the connection control application 212 can transmit identification information of the connection control application 212 to the controller 202 . Additionally, the access control application 212 may include identification information of the node 201 (eg, terminal ID, IP address, MAC address), type, location, environment, identification information of the network to which the node 201 belongs, and/or network Arbitrary identification information generated by the system itself may be further transmitted.

In operation 615 , the controller 202 may identify whether or not the controller access of the target (eg, the access control application 212 and the node 201 ) requesting the controller connection is possible. According to one embodiment, the controller 202 controls whether information received from the node 201 is included in the access policy database 311, the node 201, the network to which the node 201 belongs, and/or access control. Based on at least one of whether the identification information of the application 212 is included in the blacklist database 315 , it is possible to determine whether the controller access of the object requesting the controller access is possible.

If the controller 202 can create a control flow between the node 201 (or the connection control application 212 ) and the controller 202 , the controller 202 can create a control flow. At operation 620 , controller 202 may create a control flow between node 201 (or connection control application 212 ) and controller 202 . In this case, the controller 202 generates control flow identification information in the form of random numbers, and converts identification information of at least one of the node 201, the network to which the node 201 belongs, or the access control application 212 into a control flow table ( 316) can be stored. Information (e.g., control flow information 340) stored in the control flow table 316 is used for user authentication of the node 201, information update of the node 201, policy check for network access of the node 201, and/or Or it can be used for validation.

In operation 625 , the controller 202 may check an access policy corresponding to the information identified in the access policy database 311 (eg, node 201 and source network information to which the node 201 belongs). The controller 202 may generate whitelist information of accessible applications based on the checked access policy. The controller 202 may check the channel policy through the IP of the node 201 identified in the channel policy database 312 . The controller 202 lists the channel types and gateways to which the node 201 can connect based on the identified channel policy, and checks the status (eg, throughput and/or failure) of the listed gateways to catalog them. Among the gateways, one channel and one gateway optimized for the node 201 can be identified. In other embodiments, the controller 202 may not perform operations 620 and 625. For example, if access to the controller of the target requesting access is not possible, the controller 202 may not perform operations 620 and 625 .

At operation 630 , the controller 202 may transmit a response to the controller connection request to the node 201 . In one embodiment, the controller 202 may transmit control flow information 340 including control flow identification information to the node 201 in response to the controller connection request. In one embodiment, the controller 202 may transmit the white list generated through the execution of operation 625 to the connection control application 212 . In one embodiment, the controller 202 may transmit information necessary for creating a channel including the identified gateway and channel authentication information to the node 201 through the execution of operation 625 . Depending on the embodiment, when access is made through a pre-connected channel between the node 201 and the gateway 203, or when access is made between the node 201 and the gateway 203 through another channel technology, the controller 202 ) may not transmit separate channel creation information to the node 201. Depending on the embodiment, if the target for which access to the controller is requested is unavailable or included in the blacklist, the controller 202 may notify controller access failure in response to the controller access request without generating a control flow.

In one embodiment, node 201 may process the resulting value according to the received response. For example, the connection control application 212 may store the received control flow identification information and display a user interface screen (not shown) indicating completion of the controller connection to the user. When the controller connection is completed, the network access request of the node 201 to the service server 205 may be controlled by the controller 202 .

Depending on the embodiment, the controller 202 may determine that the node 201 is inaccessible. For example, when the controller connection unavailability information is received, the node 201 may stop or terminate the execution of the connection control application 212 or output a user interface screen indicating that the controller connection is unavailable to the user. For example, the user interface screen may include a user interface indicating that access to the node 201 is blocked and guiding isolation release through an administrator (eg, the controller 202).

Depending on the embodiment, the controller 202 may determine that channel creation is necessary. When channel creation is required, the controller 202 may transmit information for channel creation to the node 201 . For example, when information for channel creation is received from the controller 202, the node 201 may perform a channel creation process step. At operation 635 , node 201 may request gateway 203 to create a channel. For example, the node 201 may request the gateway 203 to create a channel based on channel creation information (eg, gateway and channel authentication information) received from the controller 202 .

Depending on the embodiment, the controller 202 may determine that channel creation is unnecessary. For example, when information indicating that channel creation is unnecessary is received from the controller 202, or when information for creating a separate channel is not received from the controller 202, the node 201 completes channel creation. It is determined that it is, and the next step (application inspection step) can be performed.

In one embodiment, the access control application 212 of the node 201, the controller 202, and the gateway 203 may further perform operations 635 to 660. Depending on the embodiment, the access control application 212 of the node 201, the controller 202, and the gateway 203 may perform all or part of operations 635 to 660.

At operation 640, the access control application 212 may perform a check of the application. For example, when the white list is received from the controller 202 , the access control application 212 may check whether applications included in the white list are installed in the node 201 . In the case of applications included in the white list among the applications installed on the node 201, the access control application 212 checks the integrity and stability of the application (eg whether or not the application is forged or tampered with, code signing inspection, fingerprint inspection) according to the validation policy. at least one of them) can be checked.

At operation 645 , the access control application 212 may send the application's test result to the controller 202 . The controller 202 may check whether the application is valid based on the check result. If the application is valid, the controller 202 checks the gateway 203 where the node 201 is located in the access policy for the node 201 to allow the node 201 to access the network, and then performs operation 650. can do.

In operation 650, the controller 202 configures source IP, destination IP, service port information, protocol information, A data flow including certificate information, domain and URL information can be created.

The controller 202 may check the file IO policy when creating the data flow and generate the file IO information 354 based on the file IO policy. The generated file IO information 354 may be included in the data flow information 350 of the data flow. The file IO information 354 may include policy information related to file IO access (eg, file transmission (or upload) and file reception (or download)) of an application using a data flow. For example, the file IO information 354 may include whether to encrypt when a file is transmitted by an application and whether to decrypt when a file is received by an application. When encrypting or decrypting a file, the file IO information 354 may include whether encryption or decryption is performed for each URL and whether encryption or decryption is performed for each file type.

At operation 655, the controller 202 may transmit a response to the transmission of the application check result of the connection control application 212. For example, the controller 202 may transmit data flow information 350 including file IO information 354 to the connection control application 212 . Also, in operation 660 , the controller 202 may transmit the data flow information 350 including the file IO information 354 to the gateway 203 .

7 illustrates a signal flow diagram for user authentication according to various embodiments, and FIG. 8 illustrates a user interface screen for controller access according to various embodiments. Operations shown in FIG. 7 may be implemented after the signal flow diagram of FIG. 6 , for example.

In order for the node 201 to receive detailed access rights to the destination network, the access control application 212 of the node 201 may authenticate the user of the node 201 from the controller 202 .

Referring to FIG. 7 , in operation 705 , node 201 may receive an input for user authentication. An input for user authentication may be, for example, a user input for inputting a user ID and password. For another example, the input for user authentication may be a user input (eg, biometric information) for stronger authentication.

For example, referring to FIG. 8 , when the access control application 212 is executed, the node 201 may display a user interface screen 810 for receiving information required for controller access. The user interface screen 810 includes an input window 811 for inputting controller access information (eg, IP or domain), an input window 812 for inputting a user ID, and/or an input window for inputting a password ( 813) may be included. After information is input to the input windows 811 , 812 , and 813 , the node 201 may detect a controller connection event by receiving an input to the button 814 or 815 for user authentication. For example, if controller access information, user ID, and password are entered, node 201 may receive an input for a button 815 for accessing the controller as a user. As another example, if only the controller access information is input and the user ID and password are not input, the node 201 may receive an input for a button 814 for accessing the controller as a guest.

At operation 710 , node 201 may request user authentication from controller 202 . For example, the access control application 212 provides input information for user authentication (eg, controller access information, user ID, and/or password entered into the input windows 811, 812, and 813 of FIG. 8) to the controller. (202). If the control flow between the node 201 and the controller 202 has already been created, the access control application 212 may transmit input information for user authentication together with control flow identification information.

At operation 715 , controller 202 may authenticate the user based on the information received from node 201 . For example, the controller 202 may use the user ID, password, and/or enhanced authentication information included in the received information and a database included in the memory of the controller 202 (eg, the access policy database 311 of FIG. 2 ). ) or the blacklist database 320), it is possible to determine whether the user can access according to the access policy and whether the user is included in the blacklist.

When the user is authenticated, the controller 202 checks the control flow information 340 in the control flow table 316 based on the control flow identification information transmitted by the node 201, and in the checked control flow information 340 User identification information (e.g. user ID) can be added. The added user identification information can be used for the authenticated user's controller access or network access.

As another example, if the controller 202 does not receive the user ID, password, and/or enhanced authentication information from the node 201 and receives only the controller access information, the controller 202 cannot authenticate the user, An unidentified user (or, An access policy corresponding to the guest) may be applied.

In operation 720, the controller 202 may check an access policy corresponding to the information identified in the access policy database 311 (eg, the node 201 and source network information to which the node 201 belongs). The controller 202 may generate white list information of accessible applications based on the checked access policy. The controller 202 may check the channel policy through the IP of the node 201 identified in the channel policy database 312 . The controller 202 lists the channel types and gateways to which the node 201 can connect based on the identified channel policy, and checks the status (eg, throughput and/or failure) of the listed gateways to catalog them. Among the selected gateways, one channel and one gateway optimized for the node 201 can be identified. In other embodiments, the controller 202 may not perform operation 720. For example, if access to the controller of the target requesting access is not possible, the controller 202 may not perform operation 720 .

At operation 725 , controller 202 may transmit a response to the user authentication request to node 201 . In one embodiment, the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to the user authentication request. In one embodiment, the controller 202 may transmit the white list generated through the execution of operation 720 to the connection control application 212 . In one embodiment, the controller 202 may transmit information necessary for creating a channel including the identified gateway and channel authentication information to the node 201 through the execution of operation 625 . Depending on the embodiment, when access is made through a pre-connected channel between the node 201 and the gateway 203, or when access is made between the node 201 and the gateway 203 through another channel technology, the controller 202 ) may not transmit separate channel creation information to the node 201. Depending on the embodiment, if the object for which access to the controller is requested is unavailable or is included in the blacklist, the controller 202 may notify the controller 202 of inability to access the controller in response to the user authentication request.

In one embodiment, node 201 may process the resulting value for user authentication. For example, the node 201 may output a user interface screen indicating completion of user authentication to the user through a display.

According to another embodiment, the controller 202 may determine that user authentication is impossible. For example, if the user's identification information is included in the blacklist database, the controller 202 may determine that user authentication is impossible. In this case, in operation 725, the controller 202 may transmit information indicating that user authentication is not possible to the node 201, and the node 201 may stop or terminate execution of the access control application 212, or user authentication. A user interface screen indicating this failure may be output through a display. For example, referring to FIG. 8 , node 201 may display user interface screen 820 via access control application 212 . The user interface screen 820 may include a user interface 825 indicating that access to the node 201 is blocked and guiding isolation release through an administrator (eg, the controller 202).

Depending on the embodiment, the controller 202 may determine that channel creation is necessary. When channel creation is required, the controller 202 may transmit information for channel creation to the node 201 . For example, when information for channel creation is received from the controller 202, the node 201 may perform a channel creation process step. At operation 730 , node 201 may request gateway 203 to create a channel. For example, the node 201 may request the gateway 203 to create a channel based on channel creation information (eg, gateway and channel authentication information) received from the controller 202 .

Depending on the embodiment, the controller 202 may determine that channel creation is unnecessary. For example, when information indicating that channel creation is unnecessary is received from the controller 202, or when information for creating a separate channel is not received from the controller 202, the node 201 completes channel creation. It is determined that it is, and the next step (application inspection step) can be performed.

In one embodiment, the connection control application 212 of the node 201, the controller 202, and the gateway 203 may further perform operations 730 to 755. Depending on the embodiment, the access control application 212 of the node 201, the controller 202, and the gateway 203 may perform all or part of operations 730 to 755.

At operation 735, the access control application 212 may perform a check of the application. For example, when the white list is received from the controller 202 , the access control application 212 may check whether applications included in the white list are installed in the node 201 . In the case of applications included in the white list among the applications installed on the node 201, the access control application 212 checks the integrity and stability of the application (eg whether or not the application is forged or tampered with, code signing inspection, fingerprint inspection) according to the validation policy. at least one of them) can be checked.

At operation 740 , the access control application 212 may send the application's test results to the controller 202 .

The controller 202 may verify whether the application is valid based on the inspection result. If the application is valid, the controller 202 checks the gateway 203 where the node 201 is located in the access policy for the node 201 to allow the node 201 to access the network, and then performs operation 745. can do.

In operation 745, the controller 202 configures source IP, destination IP, service port information, protocol information, A data flow including certificate information, domain and URL information can be created.

The controller 202 may check the file IO policy when creating the data flow and generate the file IO information 354 based on the file IO policy. The generated file IO information 354 may be included in the data flow information 350 of the data flow. The file IO information 354 may include policy information related to file IO access (eg, file transmission (or upload) and file reception (or download)) of an application using a data flow. For example, the file IO information 354 may include whether to encrypt when a file is transmitted by an application and whether to decrypt when a file is received by an application. When encrypting or decrypting a file, the file IO information 354 may include whether encryption or decryption is performed for each URL and whether encryption or decryption is performed for each file type.

At operation 750, the controller 202 may transmit a response to the application test result transmission of the connection control application 212. For example, the controller 202 may transmit data flow information 350 including file IO information 354 to the connection control application 212 . Also, in operation 755 , the controller 202 may transmit the data flow information 350 including the file IO information 354 to the gateway 203 .

9 illustrates a signal flow diagram for network access according to various embodiments, and the operations shown in FIG. 9 may be implemented after the signal flow diagram of FIG. 6 or FIG. 7 , for example.

Referring to FIG. 9 , in operation 905 , node 201 may detect a network connection event. For example, node 201 can detect through access control application 212 that a target application is attempting to connect to service server 205 .

In one embodiment, the connection control application 212 may inspect the data flow when a network connection event is detected. For example, the access control application 212 may check whether a data flow corresponding to identification information, destination IP and/or port information of the target application exists. In addition, the access control application 212 may check whether the corresponding data flow is valid even if the data flow exists. For example, the access control application 212 checks the integrity and safety of the access control application 212 and the target application according to the validation policy (eg, forgery or tampering of the application, code signing inspection, fingerprint inspection) And, according to the access policy received from the controller 202, whether or not access to the destination IP and port of the target application installed in the node 201 is possible may be checked.

If there is a valid data flow, the access control application 212 can skip the following operations and transmit the target application's data packet to the gateway 203 over the channel.

If the data flow exists but is not valid, the connection control application 212 may display a user interface screen indicating that the network connection has failed without transmitting the data packet.

If the data flow does not exist, or if renewal is required because the authentication time of the data flow has expired, or if renewal of the data flow is required for other reasons, the access control application 212 may request the controller 202 to connect to the network. there is. According to an embodiment, the access control application 212 performs integrity and safety checks of the access control application 212 and the target application according to a validation policy before requesting network access, and when the integrity and stability of the application are confirmed, the controller 202 may be requested for network access.

At operation 910 , the access control application 212 may request the controller 202 to connect to the network to the service server 205 . In this case, the access control application 212 may transmit target application identification information and identification information (eg, IP and service port) of the service server 205 to the controller 202 together with identification information of the control flow.

At operation 915 , the controller 202 may check the access policy and channel policy associated with the target application in response to the request received from the access control application 212 .

The controller 202 may check whether the target application satisfies the access policy of the access policy database 311 . For example, the controller 202 determines whether or not identification information of a target (eg, target application) requesting network access and the requested target (eg, service server 205) are included in the access policy database 311 and network access. It is possible to check whether the requesting target can access the gateway.

If access to the target application is impossible, the controller 202 may transmit information indicating that access is not possible to the node 201 in operation 920 . In this case, the connection control application 212 may output a user interface screen indicating that connection is impossible through the display.

If access of the target application is possible, the controller 202 may check whether a channel for accessing a target (eg, the service server 205) for which network access is requested is created in the channel table 318. For example, when the channel is not created, the controller 202 can check whether channel creation is necessary to access the service server 205 in the channel policy of the channel policy database 312 . If channel creation is required, the controller 202 may transmit a result indicating network connection failure to the node 201 . As another example, if a channel has been created or it is determined that channel creation is unnecessary in the channel policy, the controller 202 provides information requested by the node 201 for network access in the data flow table 317 (eg, destination IP and service It is possible to check whether there is a valid data flow corresponding to the port information).

If a valid data flow exists, controller 202 may transmit data flow information to node 201 . If a valid data flow does not exist, the controller 202 may create a data flow including source IP, destination IP, service port information, protocol information, certificate information, domain and URL information.

The controller 202 may check the file IO policy when creating the data flow and generate the file IO information 354 based on the file IO policy. The generated file IO information 354 may be included in the data flow information 350 of the data flow. The file IO information 354 may include policy information related to file IO access (eg, file transmission (or upload) and file reception (or download)) of an application using a data flow. For example, the file IO information 354 may include whether to encrypt when a file is transmitted by an application and whether to decrypt when a file is received by an application. When encrypting or decrypting a file, the file IO information 354 may include whether encryption or decryption is performed for each URL and whether encryption or decryption is performed for each file type.

In operation 920 , the controller 202 may transmit a response to the network access request of the access control application 212 to the node 201 . For example, the controller 202 may transmit the data flow information 350 generated through the execution of operation 915 to the connection control application 212 . Depending on the embodiment, when the connection requesting target cannot be accessed, the controller 202 may notify the network connection failure in response to the network access request.

Node 201 may process the resulting value according to the received response. For example, the access control application 212 may store the received data flow information 350 and transmit a data packet of a target application when a network connection is available. For another example, when receiving a response indicating that network access is unavailable, the node 201 may drop a data packet of the target application.

Also, at operation 925 , the controller 202 may transmit data flow information 350 to the gateway 203 .

10 illustrates a signal flow diagram for processing of a service processing request according to various embodiments.

In operation 1005, the proxy server 231 may detect a service processing request event. For example, the proxy server 231 may confirm that a service processing request event has occurred when a target application (or its process) requests service processing from the service server 205 .

The proxy server 231 may check whether a data flow corresponding to source IP or certificate identification information, destination IP or domain and port information, and/or protocol information included in the service processing request information received from the target application exists. there is. When a data flow exists, the proxy server 231 may perform the following operations.

In operation 1010, the proxy server 231 may check whether file information is included in the service processing request information. If the file information is not included, the proxy server 231 may forward the service processing request to the service server 205 . If the file information is included, the proxy server 231 may perform operation 1015.

In operation 1015, the proxy server 231 may check whether the file is encrypted. The proxy server 231 can check whether encryption is required when transmitting a file from the file IO information 354 included in the data flow information 350 . When encryption is required during file transmission, for example, the proxy server 231 may determine whether encryption is required based on the file extension. The proxy server 231 may check whether the extension of the file information included in the service processing request information in the file IO information 354 is an extension that requires encryption when transmitting the file.

When encryption is not required when transmitting a file, the proxy server 231 may forward a service processing request to the service server 205 . When encryption is required when transmitting a file, the proxy server 231 may extract unique information and identification information (eg, file name, partial contents or header information of the file, hash information, and/or signature information) of the file. The proxy server 231 may check whether encrypted file information corresponding to the extracted unique information and identification information exists in the file table 319 stored in the memory of the gateway 203 .

If file information exists in the file table 319, since the target file has already been encrypted, the proxy server 231 may forward the service processing request to the service server 205. When file information does not exist in the file table 319, whether to generate an encryption key in the gateway 203 or the controller 202 according to the encryption/decryption information 355 included in the data flow information 350 is determined. You can check. For example, when an encryption key is generated by the gateway 203, the gateway 203 may generate an encryption key based on the encryption/decryption information 355 and encrypt a file using the generated encryption key. The gateway 203 may forward a service processing request after encrypting a file. As another example, when the controller 202 generates an encryption key, the gateway 203 may perform operation 1020 .

In operation 1020, gateway 203 may request file encryption information from controller 202 including file identification information. The file identification information may include unique information and identification information of the file (eg, file name, partial content or header information of the file, hash information, and/or signature information). The gateway 203 may transmit data flow identification information or inspection target identification information together with file identification information.

At operation 1025, the controller 202 may generate file encryption information. The controller 202 identifies a data flow based on the data flow identification information or inspection target identification information received from the gateway 203, and selects a target in the file table 319 based on the file identification information received from the gateway 203. It is possible to check whether file information of a file (or a file corresponding to file identification information) exists.

If file information of the target file exists in the file table 319, since the target file is already an encrypted file, the controller 202 may transmit information indicating that encryption is unnecessary to the gateway 203. When file information of the target file does not exist in the file table 319, the controller 202 generates an encryption key according to the file IO policy of the file IO policy database 314, and generates file information of the target file to be encrypted; The data flow information 350 and the file table information 360 may be updated by adding encryption/decryption information including encryption or decryption keys and algorithms to the data flow and file table.

At operation 1030, the controller 202 may transmit a response to the file encryption information request. For example, if the file is already encrypted, the controller 202 may transmit information indicating that encryption is unnecessary to the gateway 203 . As another example, if the file is not encrypted, the controller 202 may generate encryption information (eg, an encryption key and an encryption algorithm) and transmit the generated encryption information to the gateway 203 .

In operation 1035, the proxy server 231 may perform a file encryption process. For example, the proxy server 231 may encrypt a target file based on encryption information received from the encryption information controller 202 generated by the gateway 203 . The proxy server 231 updates the file table information 360 of the gateway 202 by extracting identification information (eg, file name, partial contents or header information of the file, hash information, and/or signature information) of the encrypted file. can do.

In operation 1040, the proxy server 231 may forward the service processing request. For example, the proxy server 231 may forward a service processing request when encryption of a file is unnecessary (eg, when the file is already encrypted). As another example, the proxy server 231 may forward a service processing request after encrypting a file based on encryption information generated by the gateway 203 or encryption information received from the controller 202 .

In operation 1045 , the proxy server 231 may transmit a file encryption processing result to the controller 202 . For example, the proxy server 231 may transmit file identification information, encryption information including an encryption key generated by the gateway 203, and encrypted file information to the controller 202.

At operation 1050, the controller 202 may update the file table. The controller 202 may identify a data flow based on data flow identification information or inspection target information received from the gateway 203 and update a file table based on the received file identification information. The controller 202 may update the file table information 360 based on the encryption information and the encrypted file information received from the gateway 202, and then use the updated file table information 360 when decrypting the target file. can

11 illustrates a signal flow diagram for receiving a service processing request result according to various embodiments. Operations shown in FIG. 11 may be implemented after the signal flow diagram of FIG. 10 , for example.

In operation 1105, the proxy server 231 may detect a reception event as a result of the service processing request. For example, the proxy server 231 may confirm that a reception event has occurred as a result of the service processing request when receiving a result of the service processing request according to the process of FIG. 10 . When receiving a result of the service processing request according to the process of FIG. 10 , the proxy server 231 may check whether a file is encrypted for service processing request result information based on a pre-identified data flow.

In operation 1110, the proxy server 231 may check whether file information is included in service processing request result information. If the file information is not included, the proxy server 231 may forward the service processing request result to the node 201 . If the file information is included, the proxy server 231 may perform operation 1115.

In operation 1115, the proxy server 231 may check whether the file is encrypted. The proxy server 231 extracts unique information and identification information (eg, file name, partial contents or header information of the file, hash information, and/or signature information) of the file, and the gateway 203 based on the extracted information. In the file table 319, it is possible to check whether encrypted file information exists. For example, when encrypted file information exists, the proxy server 231 decrypts the target file using the encryption or decryption key and algorithm included in the encryption/decryption information 366 and forwards the service processing request result. can As another example, when encrypted file information does not exist, the proxy server 231 may perform operation 1120.

In operation 1120, the proxy server 231 may request file decryption information from the controller 202 including file identification information. The file identification information may include unique information and identification information of the file (eg, file name, partial content or header information of the file, hash information, and/or signature information). The gateway 203 may transmit data flow identification information or inspection target identification information together with file identification information.

At operation 1125, the controller 202 may check the file decryption information. The controller 202 identifies a data flow based on the data flow identification information or inspection target identification information received from the gateway 203, and selects a target in the file table 319 based on the file identification information received from the gateway 203. It is possible to check whether file information of a file (or a file corresponding to file identification information) exists.

If file information of the target file exists in the file table 319, since the target file is an encrypted file, the controller 202 may transmit decryption algorithm and decryption key information required for decryption to the gateway 203. If file information of the target file does not exist in the file table 319, since the target file is not an encrypted file, information indicating that decryption is unnecessary may be transmitted to the gateway 203.

In operation 1130, the controller 202 may transmit a response to the file decryption information request. For example, when a file is encrypted, the controller 202 may transmit decryption information (eg, a decryption algorithm and a decryption key) to the gateway 203 . As another example, if the file is not encrypted, the controller 202 may transmit information indicating that decryption is unnecessary to the gateway 203 .

In operation 1135, the proxy server 231 may perform file decryption processing. For example, when decryption information is received from the controller 202, the proxy server 231 may decrypt the target file based on the received decryption information.

In operation 1140, the proxy server 231 may forward the service processing request. For example, the proxy server 231 may forward a service processing request result when encryption of a file is unnecessary (eg, when the file is not encrypted). As another example, after the proxy server 231 decrypts the file based on the encryption/decryption information 366 included in the file table information 360 of the gateway 203 or based on the decryption information received from the controller 202 Service processing request results can be forwarded to .

12 illustrates a signal flow diagram for transmitting a service request processing log and a rejection log according to various embodiments.

In operation 1205 , the proxy server 231 may transmit a service request processing log and a rejection log to the controller 202 . The proxy server 231 may transmit a service request processing log and a rejection log to the controller 202 in units of designated time. For example, the service request may include a service processing request to the service server 205 of the node 201 .

At operation 1210 , controller 202 may analyze logs received from gateway 203 . The controller 202 may update statistical information on service requests and rejections based on the received log information. The controller 202 analyzes the received log to check whether the target (eg, the node 201 or the target application 211 of the node 201) that requested the service is performing an abnormal behavior. For example, if the object requesting the service is performing an abnormal behavior, the controller 202 may register the object in the blacklist 320 according to the blacklist policy of the blacklist policy database 315 . In addition, the controller may block the object's service access by removing the data flow and control flow of the object performing the non-ideal behavior. The controller 202 may return updated data flow information to the gateway 203 .

In operation 1215 , the controller 202 may transmit the update result of the data flow to the gateway 203 . When the data flow needs to be removed according to the received data flow information, the gateway 203 removes the data flow of the object performing the non-ideal behavior from the data flow table 317 so that the object no longer requests service access can make it impossible

13 illustrates a signal flow diagram for updating a control flow according to various embodiments.

Referring to FIG. 13 , in operation 1305, the access control application 212 may request a control flow update.

In one embodiment, the access control application 212 may request a control flow update from the controller 202 to maintain the control flow and data flow. In one embodiment, the access control application 212 may request a control flow update including identification information of the control flow for each specified period.

At operation 1310, the controller 202 may update (check) the control flow. For example, the controller 202 determines whether the control flow information 340 indicated by the received identification information exists in the control flow table 316, and if the control flow information 340 exists, the data flow information 350 subordinate thereto You can check if exists. When the connection is released by another security system, the update time elapses, or the connection is released due to risk detection, the control flow may not exist. If the control flow does not exist, the controller 202 may return connection unavailable information to the node 201 . When a control flow exists, the controller 202 may update an update time or an expiration time of the control flow and search for a data flow subordinate to the control flow. For example, if re-authentication needs to be performed in the searched data flow or there is a data flow to which access is no longer possible, the controller 202 may return corresponding data flow information to the node 201 .

For example, if the update (check) fails, the controller 202 may send connection unavailable information to the node 201 . In this case, the node 201 may terminate the access control application 212 or block the access control application 212 from accessing the network. For another example, if the update (check) succeeds, the controller 202 may update the expiration time of the control flow and the data flow dependent thereon. The controller 202 may transmit updated control flow information and data flow information to the node 201 . In this case, the node 201 may update control flow information 340 and data flow information 350 .

In operation 1315 , the controller 202 may transmit update (check) result information to the connection control application 212 . For example, if the update (check) fails, the controller 202 may transmit unreachable information. For another example, if the update (check) is successful, the controller 202 may transmit the updated control flow information 340 and data flow information 350 subordinate thereto to the access control application 212 . In this case, the node 201 may update control flow information 340 and data flow information 350 .

The access control application 212 may process update (check) result information. If the control flow update result indicates that access is unavailable, the access control application 212 may terminate the target application or block all network access of the target application. If the control flow update result indicates normal and there is updated data flow information 350 , the connection control application 212 may update the data flow table 316 in the connection control application 212 .

14 illustrates a signal flow diagram for control flow cancellation according to various embodiments.

Referring to FIG. 14 , in operation 1405, the node 201 may request the controller 202 to terminate the control flow. For example, the node 201 may request control flow termination when the connection control application 212 is terminated, when the network connection is not used for a specified amount of time, or when a connection termination request is received from another system.

At operation 1410 , controller 202 can remove the control flow corresponding to the identification information received from node 201 . The controller 202 may also remove the data flow dependent on the removed control flow.

In operation 1415, the controller 202 requests the gateway 203 to remove the data flow, and in operation 1420, the gateway 203 may block the connection control application 212 from accessing the network by removing the data flow.

15 illustrates a signal flow diagram for data flow cancellation according to various embodiments.

Referring to FIG. 15 , in operation 1505, the access control application 212 may detect termination of the target application. The access control application 212 may monitor in real time whether a target application running on the node 201 is terminated.

In operation 1510 the access control application 212 may request the controller 202 to terminate the data flow. For example, the access control application 212 may transmit data flow identification information allocated to the terminated target application or identification information of the target application to the controller 202 to request termination of the data flow.

In operation 1515 , the controller 202 may remove the data flow based on the data flow identification information received from the node 201 or the identification information of the target application. The controller 202 may identify and search for a control flow based on the received data flow identification information or the identification information of the target application, and may remove a data flow bound to the identified and searched control flow.

In operation 1520, the controller 202 requests the gateway 203 to remove the data flow, and in operation 1525, the gateway 203 removes the data flow, thereby providing a service corresponding to the removed data flow of the connection control application 212. Access to the server 205 may be blocked. The target application will no longer be able to transmit data packets to the destination network.

The above description is only an illustrative example of the technical idea disclosed in this document, and those skilled in the art to which the embodiments disclosed in this document belong will be within the scope of the essential characteristics of the embodiments disclosed in this document. Many modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are not intended to limit the technical idea disclosed in this document, but to explain, and the scope of the technical idea disclosed in this document is not limited by these embodiments. The scope of protection of technical ideas disclosed in this document should be interpreted according to the scope of the following claims, and all technical ideas within the equivalent scope should be construed as being included in the scope of rights of this document.

Claims (22)

in the gateway,
communication circuit;
a processor in operative connection with the communication circuitry; and
a memory operatively connected to the processor and storing a proxy server and a file table for managing file encryption or decryption, wherein the memory, when executed by the processor, causes the gateway to:
Receive a data flow including file IO (input output) information indicating whether encryption is required when the node transmits a file from an external server or whether decryption is required when a file is received,
Checking whether file information is included in the service processing request or the service processing request result of the node through the proxy server;
When encryption or decryption is required according to the file IO information, check whether the file information exists in the file table,
Store instructions for processing the service processing request or the service processing request result based on whether the file information is included in the service processing request or the service processing request result and whether the file information exists in the file table Do, Gateway. The method according to claim 1, wherein the instructions are the gateway,
When the file information is not included in the service processing request, forwarding the service processing request;
When the file information is included in the service processing request, the gateway determines whether encryption is required when transmitting the file in the file IO information. delete The method according to claim 1, wherein the instructions are the gateway,
If the file information exists, forwarding the service processing request;
When the file information does not exist, the gateway determines whether to generate an encryption key in the gateway or in the external server according to the encryption information of the data flow. The method according to claim 4, wherein the instructions are the gateway,
When the encryption key is generated by the gateway, the encryption key is generated according to the encryption information, the target file is encrypted using the encryption key, and the service processing request is forwarded;
A gateway configured to transmit the file identification information, encryption information including the encryption key, and encrypted file information to the external server. The method according to claim 4, wherein the instructions are the gateway,
When the encryption key is generated in the external server, a request for file encryption information including the file identification information is transmitted to the external server;
When encryption information on the target file is received from the external server, encrypting the target file based on the encryption information and forwarding the service processing request;
and forwarding the service processing request when receiving information indicating that encryption of the target file is unnecessary from the external server. The method according to claim 1, wherein the instructions are the gateway,
When the file information is not included in the service processing request result, forwarding the service processing request result;
A gateway configured to check whether a file is encrypted when the file information is included in the result of the service processing request. The method of claim 7,
The commands are such that the gateway,
If the file information exists, the gateway decrypts the target file using a decryption key and a decryption algorithm included in the file table, and forwards the service processing request result. The method according to claim 8, wherein the instructions are the gateway,
If the file information does not exist, transmits a file decryption information request including file identification information for identifying the target file to the external server;
When decoding information on the target file is received from the external server, the target file is decrypted based on the decoding information, and the service processing request result is forwarded;
and forwarding a result of the service processing request when receiving information indicating that decryption of the target file is unnecessary from the external server. The method of claim 1,
The data flow includes at least one of source network information for identifying the node, network information of a service server, or certificate identification information. The method according to claim 1, wherein the instructions are the gateway,
and generating the channel based on channel creation information for generating a channel between the node and the gateway received from the node. in the server,
communication circuit;
a processor in operative connection with the communication circuitry; and
a memory operably coupled to the processor and storing a database, wherein the memory, when executed by the processor, causes the server to:
Receiving a network access request including identification information of a target application of the node to access a network of a service server and network information of the service server from an access control application of a node;
Check whether the target application can access the service server based on the database;
If access is possible, a data flow corresponding to the network information of the service server and including file IO (input output) information indicating whether encryption is required when transmitting a file from the node or whether decryption is required when receiving a file is generated, and the node and send to the gateway;
If access is impossible, transmit result information indicating that access is not possible to the node;
Receiving a request for encryption information or a request for decryption information of a target file from the gateway;
Checking whether file table information for the target file exists in the database;
and storing instructions for transmitting a response to the request for encryption information or the request for decryption information to the gateway according to whether file table information for the target file exists. The method according to claim 12, wherein the instructions are the server,
Transmitting an application whitelist accessible to the access control application;
Check whether the application is valid based on a test result of the application received from the access control application;
If the application is valid, check the gateway where the node is located;
A data flow including at least one of source network information, network information of the service server, or certificate identification information is generated and transmitted to the node and the gateway, and the data flow requires approval for file transmission and reception of the application Server, including file IO (input output) information indicating whether or not. The method according to claim 12, wherein the instructions are the server,
Receive a network access request from the access control application, wherein the network access request includes identification information of the access control application;
Based on the database, check whether the access control application can access the controller,
When connection is possible, the server to create a control flow between the connection control application and the server. The method according to claim 14, wherein the instructions are the server,
After generating the control flow, receiving a user authentication request from an access control application, the user authentication request including a user ID, password and / or enhanced authentication information,
Based on the information included in the user authentication request, it is determined whether the user is accessible;
In the case of an accessible user, a server that adds identification information of the user to the control flow. The method according to claim 12, wherein the instructions are the server,
When creating a control flow or completing user authentication,
Identifying channels and gateways connectable to the access control application based on the database;
and cause the node to transmit information to the node to create the identified gateway and the identified channel. The method of claim 12,
The encryption information request or the decryption information request includes file identification information for identifying the target file,
The commands are such that the server,
Check whether file table information for the target file exists in the database based on the file identification information;
A server configured to transmit encryption information or decryption information of the target file to the gateway based on the file table information. The method according to claim 12, wherein the instructions are the server,
In response to the encryption information request,
If file table information for the target file exists, transmitting information indicating that encryption of the target file is unnecessary to the gateway;
and generating an encryption key based on the database when file table information for the target file does not exist, and transmitting encryption information including the encryption key and an encryption algorithm to the gateway. The method according to claim 12, wherein the instructions are the server,
In response to the decryption information request,
When file table information for the target file exists, transmitting decryption algorithm and decryption key information included in the file table information to the gateway;
and transmits information indicating that decryption of the target file is unnecessary when the file table information for the target file does not exist. The method according to claim 12, wherein the instructions are the server,
Receiving file identification information for identifying a target file from the gateway, encryption information including an encryption key and an encryption algorithm for encrypting the target file, and encrypted file information;
A server configured to update file table information of the database based on the received file identification information, the encryption information, and the encrypted file information. In the operation method of the gateway,
Receiving, from an external server, a data flow including file IO (input output) information indicating whether encryption is required when a file is transmitted from a node or whether decryption is required when a file is received, from an external server;
An operation of checking whether file information is included in a service processing request of the node or a service processing request result of the node through a proxy server of the gateway;
When encryption or decryption is required according to the file IO information, checking whether the file information exists in a file table for managing file encryption or decryption stored in the gateway, and
Processing the service processing request or the service processing request result based on whether the file information is included in the service processing request or the service processing request result and whether the file information exists in the file table , how it works. In the method of operating the server,
Receiving a network access request including identification information of a target application of the node to access a network of a service server and network information of the service server from an access control application of a node;
An operation of checking whether or not the target application can access the service server based on the database of the server;
Corresponding to the network information of the service server, generating a data flow including file IO (input output) information indicating whether encryption is required when transmitting a file of the node or whether decryption is required when receiving a file, And sending it to the node and gateway movement,
Receiving a request for encryption information or a request for decryption information of a target file from the gateway;
Checking whether file table information for the target file exists in the database; and
and transmitting a response to the request for encryption information or the request for decryption information to the gateway according to whether file table information for the target file exists.

Images