WO2023101399A1 - System for managing security of large amount of data - Google Patents

System for managing security of large amount of data Download PDF

Info

Publication number
WO2023101399A1
WO2023101399A1 PCT/KR2022/019175 KR2022019175W WO2023101399A1 WO 2023101399 A1 WO2023101399 A1 WO 2023101399A1 KR 2022019175 W KR2022019175 W KR 2022019175W WO 2023101399 A1 WO2023101399 A1 WO 2023101399A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
communication channel
secure communication
secure
received
Prior art date
Application number
PCT/KR2022/019175
Other languages
French (fr)
Korean (ko)
Inventor
박한나
정해일
조성민
Original Assignee
주식회사 시옷
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 시옷 filed Critical 주식회사 시옷
Publication of WO2023101399A1 publication Critical patent/WO2023101399A1/en

Links

Images

Classifications

    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates to a security processing system for large-capacity data, and more particularly, to an IoT security system capable of encrypting large-capacity data transmitted and received between devices constituting the Internet of Things at high speed.
  • IoT Internet of Things
  • open source-based software such as Python, PHP, and OpenSSL
  • hardware platform that provides various functions and services between users and objects through Internet access.
  • IoT devices are difficult to apply security in the form of software due to lack of resources, and in the case of software security products that have been deployed and installed, they must be provided in accordance with the device development environment, so there is a limit to supporting various IoT device development environments.
  • One aspect of the present invention provides an IoT security system capable of encrypting data transmitted and received through a secure communication channel by forming a secure communication channel between devices constituting the IoT.
  • a security processing system for large-capacity data forms a secure communication channel between IoT devices constituting the Internet of Things and encrypts data transmitted and received through the secure communication channel in different ways according to the size of the data. contains the module
  • the secure hub module includes
  • An encryption unit for encrypting data transmitted to and received from the IoT device through a secure communication channel through a preset encryption algorithm is included.
  • the encryption unit The encryption unit,
  • the reception time of the data received through the secure hub module is converted into a binary number, the converted binary number is divided into two sections, and the binary number included in the first section is divided into two sections.
  • a first variable converted into a decimal number and a second variable obtained by converting the binary number included in the second interval into a decimal number are generated, and a first prime number closest to the first variable and a second prime number closest to the second variable are generated. setting, generating a private key and a public key using the set first and second prime numbers, and encrypting the data using the generated private key and public key.
  • a secure communication channel is formed between devices constituting the Internet of Things, and data transmitted and received through the secure communication channel may be encrypted.
  • FIG. 1 is a block diagram showing a schematic configuration of a large data security processing system according to an embodiment of the present invention.
  • FIG. 2 and 3 are flowcharts illustrating specific functions of the secure hub module shown in FIG. 1 .
  • FIG. 4 is a diagram illustrating a specific example of encrypting low-capacity data.
  • FIG. 5 is a diagram illustrating a specific example of encrypting large-capacity data.
  • FIG. 1 is a conceptual diagram showing a schematic configuration of a large data security processing system according to an embodiment of the present invention.
  • the IoT security system 1000 includes at least one IoT device 100, a gateway connected to the IoT device 100 to form an internal network, and connected to the IoT platform 300 to build an external network. 200 and a secure hub module 400 that is connected to the gateway and encrypts data transmitted through the internal network and the external network.
  • the security hub module 400 is a gateway 200 to improve the security of data transmitted and received through the Internet of Things in an already built IoT environment such as the IoT device 100, the gateway 200, and the IoT platform 300. As a device installed on the ) side, it can be physically connected to the gateway 200.
  • FIGS. 2 and 3 are diagrams illustrating a detailed configuration of the secure hub module 400 .
  • the secure hub module 400 transmits and receives data to and from IoT devices through a secure communication channel through a channel setting unit 410 that establishes a secure communication channel between IoT devices requiring communication and a preset encryption algorithm. It includes an encryption unit 420 that encrypts data.
  • the encryption unit 420 includes a data classification unit 421 that classifies data transmitted and received through the secure communication channel as either low-capacity data or large-capacity data, and encrypts the data classified as low-capacity data by the data classification unit. It includes a low-capacity data encryption unit 422 and a large-capacity data encryption unit 423 that encrypts data classified as large-capacity data by the data classification unit.
  • the data classification unit 421 may classify data into either low-capacity data or large-capacity data based on a preset reference data size value (eg, 10mb).
  • FIG. 4 is a diagram showing a specific example of encrypting data in the low-capacity data encryption unit 422 .
  • the low-capacity data encryption unit 422 converts the reception time of the data received through the secure hub module into a binary number, and converts the converted binary number into a binary number. Divide into two sections.
  • the low-capacity data encryption unit 422 causes the first four binary numbers to be included in the first section, and then allows the four binary numbers to be included in the second section. If all of the converted binary numbers are odd, it may be configured to include one more binary number in the first interval. For example, when the converted binary number is a 9-digit number, 5 binary numbers from the beginning are included in the first section, and then 4 binary numbers are included in the second section.
  • the low-capacity data encryption unit 422 generates a first variable obtained by converting the binary number included in the first section into a decimal number and a second variable obtained by converting the binary number included in the second section into a decimal number, and A first prime number closest to a second prime number and a second prime number closest to a second variable are set, a private key and a public key are generated using the set first prime number and the second prime number, and the generated private key and public key are use to encrypt the data.
  • the mass data encryption unit 422 encrypts relatively large amounts of data such as images and videos.
  • the bulk data encryption unit 422 may divide the bulk data into a plurality of seed blocks and encrypt each of the divided seed blocks through a preset block cipher algorithm.
  • the preset block cipher algorithm may be the SEED standardization algorithm, which is a block cipher algorithm in which the input/output processing basic unit (block size) is 128 bits, the size of the input key is 128 bits, and the number of rounds is 16 rounds, but is not limited thereto.
  • Various block encryption algorithms that have been widely used may be applied.
  • the bulk data encryption unit 422 encrypts the bulk data with another encryption method.
  • the mass data encryption unit 422 includes a region of interest setting unit and a conversion unit.
  • the region of interest setting unit sets a region to be encrypted among the entire regions of the captured image as the region of interest.
  • the region-of-interest setting unit performs image analysis on large-volume data in the form of an image, and detects a characteristic part requiring encryption among the entire region of the original image, so that the conversion unit to be described later partially encrypts only the set region and requests data processing. It is possible to reduce the amount of computation and time to be performed.
  • the region of interest setting unit extracts a plurality of objects constituting the original image, sets an object corresponding to a pre-learned object among the plurality of extracted objects as a feature object, and sets the feature object It is characterized in that the region of interest is set to be included.
  • the region of interest setting unit extracts a feature vector from the captured image, inputs the extracted feature vector as an input value of an artificial neural network that has been trained in advance, and selects a plurality of objects included in the captured image based on the output value. can be distinguished. Since the object detection method using such an artificial neural network is a technique widely used in the image processing field, a detailed description thereof will be omitted.
  • the ROI setting unit may set the ROI using a histogram of image data.
  • the histogram is information representing the distribution of contrast values for pixels of an image.
  • the ROI setting unit may generate an entire histogram of pixels constituting the captured image and a partial histogram of a predetermined region of the captured image.
  • the region of interest setting unit separates the original image into R, G, and B channels, and for each of the separated channels, the horizontal axis represents the contrast value of a 256 gray level image with a brightness deviation of 256, and the vertical axis represents the frequency of each contrast value.
  • a histogram representing can be created. Since a specific method for generating a histogram is a known technique, further detailed description will be omitted.
  • the ROI setting unit may select a convolution filter for extracting the ROI using the full histogram and partial histogram of the original image.
  • a convolution filter is a matrix composed of arbitrary pixel sizes used to process a reference image, which is an image corresponding to a region of interest in a reference frame, with various effects, and is also called an image kernel or a convolution kernel.
  • the region of interest setting unit stores various types of convolution filters, and may include, for example, blurring, sharpening, outlining, and embossing convolution filters.
  • the image processing device 100 may further include various types of convolution filters set by the user or collected from external devices.
  • the ROI setting unit may generate an output image by applying a convolution filter to the photographed image.
  • the region of interest setting unit may store convolution filters composed of a 3X3 matrix, and a numerical value may be set for each convolution filter for each matrix element. For example, values of 1, 0, 1, 0, 1, 0, 1, 0, 1 may be sequentially set from the top left of the convolution filter.
  • the region-of-interest setting unit calculates an output value of the corresponding pixel by performing a convolution operation with a convolution filter with any one pixel constituting the reference image and pixels adjacent to the corresponding pixel, and may set the region of interest using the calculated output value.
  • the ROI setting unit may compare a previously stored reference value with an output value calculated for each pixel, select a pixel having an output value most similar to the reference value, and set an area within a predetermined radius based on the selected pixel as the ROI.
  • the conversion unit rearranges all pixels included in the ROI set by the ROI setting unit, and encrypts the original and changed locations of the rearranged pixels using a blockchain.
  • the conversion unit may move the pixels in the region of interest to a position different from the original position by using a predetermined jigsaw pattern.
  • the conversion unit may rearrange each pixel in an arbitrary position other than a predetermined pattern.
  • the conversion unit generates a private key based on the pixel size of the region of interest, generates a public key based on the generated private key, and transaction information indicating a changed position of a pixel included in the region of interest from the original position. Converts to a hash value using a hash function, and generates a digital signature for the transaction information by encrypting the hash value using the private key. A specific function of the conversion unit will be described later.
  • the conversion unit generates a third variable by counting the number of pixels on the horizontal axis of the region of interest, and generates a fourth variable by counting the number of pixels on the vertical axis of the region of interest.
  • the conversion unit sets a prime number closest to the third variable as a third prime number, sets a prime number closest to the fourth variable as a fourth prime number, and uses the set third and fourth prime numbers to generate the private key. and generating the public key.
  • the conversion unit may encrypt the region of interest in which positions of pixels are rearranged through an asymmetric encryption method.
  • This private key-public key generation method uses the RSA encryption algorithm, and since the RSA encryption algorithm is a widely publicized technology, a detailed public key generation process will be omitted.
  • the conversion unit transmits the generated public key to other IoT devices through a secure channel, and when the IoT devices receive the encrypted data, they can decrypt it using the public key received from the conversion unit.
  • the conversion unit generates a first histogram for the captured image and a second histogram for the region of interest, analyzes the first histogram, sets a brightness value with the highest frequency as a first variable, and sets the first histogram to the first histogram. 2 The histogram is analyzed, the brightness value having the highest frequency is set as a second variable, and the private key and the public key are generated using the set first and second prime numbers.
  • the conversion unit 300 resets a brightness value having a higher next-order frequency in the second histogram as a second variable.
  • the conversion unit holds the transmission process of the data until the number of image data to be encrypted is accumulated and stored by a predetermined number, and then confirms that the number of encrypted image data is accumulated and stored by a predetermined number.
  • variable data representing characteristics of the accumulated and stored data group is set, and the image data is encrypted based on the set variable data.
  • the conversion unit bundles the accumulated and stored collected data into data groups, extracts data groups to be transmitted, sets variable data according to the characteristics of the extracted data groups, and creates transformed data that connects the set variable data to each collected data.
  • the generated transformed data is converted into a hash value through a hash function and registered in the blockchain network.
  • the conversion unit generates variable data based on the reference value received from the manager terminal, and converts the image data into a hash value based on the variable data, so that security of the image data can be improved.
  • Such technology may be implemented as an application or implemented in the form of program instructions that can be executed through various computer components and recorded on a computer-readable recording medium.
  • the computer readable recording medium may include program instructions, data files, data structures, etc. alone or in combination.
  • Program instructions recorded on the computer-readable recording medium may be those specially designed and configured for the present invention, or those known and usable to those skilled in the art of computer software.
  • Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tapes, optical recording media such as CD-ROMs and DVDs, and magneto-optical media such as floptical disks. media), and hardware devices specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like.
  • Examples of program instructions include high-level language codes that can be executed by a computer using an interpreter or the like as well as machine language codes such as those produced by a compiler.
  • the hardware device may be configured to act as one or more software modules to perform processing according to the present invention and vice versa.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Multimedia (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)

Abstract

The present invention relates to a system for managing security of a large amount of data, the method establishing a secure communication channel between internet-of-things (IoT) devices in IoT, classifying data that is transmitted and received by means of the secure communication channel as either a small amount of data or large amount of data, and, on the basis of the size, using different methods of encryption.

Description

대용량 데이터의 보안 처리 시스템 Security processing system for large data
본 발명은 대용량 데이터의 보안 처리 시스템에 관한 것으로, 더욱 상세하게는 사물 인터넷을 구성하는 디바이스 간 송수신되는 대용량 데이터를 고속으로 암호화할 수 있는 사물 인터넷 보안 시스템에 관한 것이다.The present invention relates to a security processing system for large-capacity data, and more particularly, to an IoT security system capable of encrypting large-capacity data transmitted and received between devices constituting the Internet of Things at high speed.
최근 사물 인터넷 서비스가 급속하게 증가하면서 사물인터넷(Internet of Things, IoT) 디바이스의 보안이 이슈가 되고 있다. 범용 IoT 디바이스는 인터넷 접속을 통해 사용자와 사물간 다양한 기능 및 서비스를 제공하는 하드웨어 플랫폼과 함께 파이썬, PHP, OpenSSL 등 Open source 기반의 소프트웨어를 탑재하고 있다.Recently, with the rapid increase in Internet of Things (IoT) services, the security of Internet of Things (IoT) devices has become an issue. A general-purpose IoT device is equipped with open source-based software such as Python, PHP, and OpenSSL along with a hardware platform that provides various functions and services between users and objects through Internet access.
이러한 오픈 소스 기반의 IoT 플랫폼은 사용자가 다양한 기능을 추가하거나 개발하기 쉽다는 장점이 있다. 그러나 개인 정보 유출과 같은 파일 기밀성에 대한 위협이 존재하며, 특히 디바이스 복제에 취약한 문제가 발생할 수 있다.The advantage of this open source based IoT platform is that it is easy for users to add or develop various functions. However, there are threats to file confidentiality such as personal information leakage, and in particular, device cloning may be vulnerable.
사물인터넷 디바이스에 대한 공격은 꾸준히 증가하고 있으며, 전송 데이터 탈취, 기본 계정과 패스워드의 사용 및 대규모 봇넷(botnet)을 형성해 디도스(DDos) 공격 및 기기 자체에 손상을 입히는 사례들이 지속적으로 보고되고 있다.Attacks on IoT devices are steadily increasing, and cases of stealing transmission data, using default accounts and passwords, and forming large-scale botnets to form DDoS attacks and damage to devices are continuously reported. .
이에, 최근에는 IoT 기기들에 대한 보안 제품들이 사용되고 있으나, 종래의 IoT 보안 제품들은 IoT 디바이스 설계 및 개발 시 적용되어야 하며, 설계 및 개발 시 보안 미반영 제품들은 설치 이후 기존 방식으로 보안을 적용하기에는 한계가 있다는 문제점이 있다.Accordingly, although security products for IoT devices have recently been used, conventional IoT security products must be applied when designing and developing IoT devices, and products that do not reflect security during design and development have limitations in applying security in the conventional way after installation. There is a problem with that.
또한, 대부분의 IoT 디바이스는 리소스 부족으로 소프트웨어 형태의 보안 적용이 어려우며, 배포 및 설치가 완료된 소프트웨어 보안 제품의 경우 디바이스 개발 환경에 맞추어 제공되어야 함에 따라 다양한 IoT 디바이스 개발 환경을 모드 지원하기에는 한계가 있다는 문제점이 있다.In addition, most IoT devices are difficult to apply security in the form of software due to lack of resources, and in the case of software security products that have been deployed and installed, they must be provided in accordance with the device development environment, so there is a limit to supporting various IoT device development environments. there is
한편, 전술한 배경 기술은 발명자가 본 발명의 도출을 위해 보유하고 있었거나, 본 발명의 도출 과정에서 습득한 기술 정보로서, 반드시 본 발명의 출원 전에 일반 공중에게 공개된 공지기술이라 할 수는 없다.On the other hand, the above-mentioned background art is technical information that the inventor possessed for derivation of the present invention or acquired in the process of derivation of the present invention, and cannot necessarily be said to be known art disclosed to the general public prior to filing the present invention. .
본 발명의 일측면은 사물 인터넷을 구성하는 디바이스 간 보안 통신 채널을 형성하여 보안 통신 채널을 통해 송수신되는 데이터를 암호화할 수 있는 사물 인터넷 보안 시스템을 제공한다.One aspect of the present invention provides an IoT security system capable of encrypting data transmitted and received through a secure communication channel by forming a secure communication channel between devices constituting the IoT.
본 발명의 기술적 과제는 이상에서 언급한 기술적 과제로 제한되지 않으며, 언급되지 않은 또 다른 기술적 과제들은 아래의 기재로부터 당업자에게 명확하게 이해될 수 있을 것이다.The technical problem of the present invention is not limited to the technical problem mentioned above, and other technical problems not mentioned will be clearly understood by those skilled in the art from the following description.
본 발명의 일 실시예에 따른 대용량 데이터의 보안 처리 시스템은 사물 인터넷을 구성하는 IoT 디바이스 간 보안 통신 채널을 형성하여 보안 통신 채널을 통해 송수신되는 데이터를 데이터 크기에 따라 서로 다른 방법으로 암호화하는 보안 허브 모듈을 포함한다.A security processing system for large-capacity data according to an embodiment of the present invention forms a secure communication channel between IoT devices constituting the Internet of Things and encrypts data transmitted and received through the secure communication channel in different ways according to the size of the data. contains the module
상기 보안 허브 모듈은,The secure hub module,
통신이 요구되는 IoT 디바이스 간 보안 통신 채널을 설정하는 채널 설정부; 및A channel setting unit for setting a secure communication channel between IoT devices requiring communication; and
미리 설정된 암호화 알고리즘을 통해 보안 통신 채널을 통해 IoT 디바이스로 송수신되는 데이터를 암호화하는 암호화부를 포함한다.An encryption unit for encrypting data transmitted to and received from the IoT device through a secure communication channel through a preset encryption algorithm is included.
상기 암호화부는,The encryption unit,
상기 보안 통신 채널을 통해 송수신되는 데이터를 저용량 데이터 또는 대용량 데이터 중 어느 하나로 구분하되,Classifying data transmitted and received through the secure communication channel as either low-capacity data or large-capacity data,
상기 보안 통신 채널을 통해 송수신되는 데이터가 저용량 데이터인 것으로 판단되면, 상기 보안 허브 모듈로 수신되는 데이터의 수신 시각을 이진수로 변환하고, 변환된 이진수를 두 구간으로 분할하여 제1 구간에 포함된 이진수를 십진수로 변환한 제1 변수와, 제2 구간에 포함된 이진수를 십진수로 변환한 제2 변수를 생성하고, 제1 변수와 가장 가까운 제1 소수와, 제2 변수와 가장 가까운 제2 소수를 설정하고, 설정된 상기 제1 소수 및 상기 제2 소수를 이용하여 개인 키 및 공개 키를 생성하고, 생성된 개인 키 및 공개 키를 이용하여 상기 데이터를 암호화하는 것을 특징으로 한다.If it is determined that the data transmitted and received through the secure communication channel is low-volume data, the reception time of the data received through the secure hub module is converted into a binary number, the converted binary number is divided into two sections, and the binary number included in the first section is divided into two sections. A first variable converted into a decimal number and a second variable obtained by converting the binary number included in the second interval into a decimal number are generated, and a first prime number closest to the first variable and a second prime number closest to the second variable are generated. setting, generating a private key and a public key using the set first and second prime numbers, and encrypting the data using the generated private key and public key.
상술한 본 발명의 일측면에 따르면, 사물 인터넷을 구성하는 디바이스 간 보안 통신 채널을 형성하여 보안 통신 채널을 통해 송수신되는 데이터를 암호화할 수 있다.According to one aspect of the present invention described above, a secure communication channel is formed between devices constituting the Internet of Things, and data transmitted and received through the secure communication channel may be encrypted.
도 1은 본 발명의 일 실시예에 대용량 데이터의 보안 처리 시스템의 개략적인 구성이 도시된 블록도이다.1 is a block diagram showing a schematic configuration of a large data security processing system according to an embodiment of the present invention.
도 2 및 도 3은 도 1에 도시된 보안 허브 모듈의 구체적인 기능이 도시된 순서도이다.2 and 3 are flowcharts illustrating specific functions of the secure hub module shown in FIG. 1 .
도 4는 저용량 데이터를 암호화하는 구체적인 일 예가 도시된 도면이다.4 is a diagram illustrating a specific example of encrypting low-capacity data.
도 5는 대용량 데이터를 암호화하는 구체적인 일 예가 도시된 도면이다.5 is a diagram illustrating a specific example of encrypting large-capacity data.
후술하는 본 발명에 대한 상세한 설명은, 본 발명이 실시될 수 있는 특정 실시예를 예시로서 도시하는 첨부 도면을 참조한다. 이들 실시예는 당업자가 본 발명을 실시할 수 있기에 충분하도록 상세히 설명된다. 본 발명의 다양한 실시예는 서로 다르지만 상호 배타적일 필요는 없음이 이해되어야 한다. 예를 들어, 여기에 기재되어 있는 특정 형상, 구조 및 특성은 일 실시예와 관련하여 본 발명의 정신 및 범위를 벗어나지 않으면서 다른 실시예로 구현될 수 있다. 또한, 각각의 개시된 실시예 내의 개별 구성요소의 위치 또는 배치는 본 발명의 정신 및 범위를 벗어나지 않으면서 변경될 수 있음이 이해되어야 한다. 따라서, 후술하는 상세한 설명은 한정적인 의미로서 취하려는 것이 아니며, 본 발명의 범위는, 적절하게 설명된다면, 그 청구항들이 주장하는 것과 균등한 모든 범위와 더불어 첨부된 청구항에 의해서만 한정된다. 도면에서 유사한 참조부호는 여러 측면에 걸쳐서 동일하거나 유사한 기능을 지칭한다.DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The detailed description of the present invention which follows refers to the accompanying drawings which illustrate, by way of illustration, specific embodiments in which the present invention may be practiced. These embodiments are described in sufficient detail to enable one skilled in the art to practice the present invention. It should be understood that the various embodiments of the present invention are different from each other but are not necessarily mutually exclusive. For example, specific shapes, structures, and characteristics described herein may be implemented in another embodiment without departing from the spirit and scope of the invention in connection with one embodiment. Additionally, it should be understood that the location or arrangement of individual components within each disclosed embodiment may be changed without departing from the spirit and scope of the invention. Accordingly, the detailed description set forth below is not to be taken in a limiting sense, and the scope of the present invention, if properly described, is limited only by the appended claims, along with all equivalents as claimed by those claims. Like reference numbers in the drawings indicate the same or similar function throughout the various aspects.
이하, 도면들을 참조하여 본 발명의 바람직한 실시예들을 보다 상세하게 설명하기로 한다.Hereinafter, preferred embodiments of the present invention will be described in more detail with reference to the drawings.
도 1은 본 발명의 일 실시예에 따른 대용량 데이터의 보안 처리 시스템의 개략적인 구성이 도시된 개념도이다.1 is a conceptual diagram showing a schematic configuration of a large data security processing system according to an embodiment of the present invention.
본 발명에 따른 사물 인터넷 보안 시스템(1000)은 적어도 하나의 IoT 기기(100), 상기 IoT 기기(100)와 연결되어 내부망을 형성하고, IoT 플랫폼(300)과 연결되어 외부망을 구축하는 게이트웨이(200) 및 게이트웨이에 연결되어 내부망 및 외부망을 통해 전달되는 데이터를 암호화하는 보안 허브 모듈(400)을 포함한다.The IoT security system 1000 according to the present invention includes at least one IoT device 100, a gateway connected to the IoT device 100 to form an internal network, and connected to the IoT platform 300 to build an external network. 200 and a secure hub module 400 that is connected to the gateway and encrypts data transmitted through the internal network and the external network.
즉, 보안 허브 모듈(400)은 IoT 기기(100), 게이트웨이(200) 및 IoT 플랫폼(300)과 같이 이미 구축된 IoT 환경에서 사물 인터넷을 통해 송수신되는 데이터의 보안성을 향상시키기 위해 게이트웨이(200)측에 설치되는 장치로, 게이트웨이(200)와 물리적으로 연결될 수 있다.That is, the security hub module 400 is a gateway 200 to improve the security of data transmitted and received through the Internet of Things in an already built IoT environment such as the IoT device 100, the gateway 200, and the IoT platform 300. As a device installed on the ) side, it can be physically connected to the gateway 200.
도 2 및 도 3은 이러한 보안 허브 모듈(400)의 구체적인 구성이 도시된 도면이다.2 and 3 are diagrams illustrating a detailed configuration of the secure hub module 400 .
도시된 바와 같이, 상기 보안 허브 모듈(400)은, 통신이 요구되는 IoT 디바이스 간 보안 통신 채널을 설정하는 채널 설정부(410) 및 미리 설정된 암호화 알고리즘을 통해 보안 통신 채널을 통해 IoT 디바이스로 송수신되는 데이터를 암호화하는 암호화부(420)를 포함한다.As shown, the secure hub module 400 transmits and receives data to and from IoT devices through a secure communication channel through a channel setting unit 410 that establishes a secure communication channel between IoT devices requiring communication and a preset encryption algorithm. It includes an encryption unit 420 that encrypts data.
이때, 상기 암호화부(420)는, 상기 보안 통신 채널을 통해 송수신되는 데이터를 저용량 데이터 또는 대용량 데이터 중 어느 하나로 구분하는 데이터 분류부(421), 데이터 분류부에 의해 저용량 데이터로 분류된 데이터를 암호화하는 저용량 데이터 암호화부(422) 및 데이터 분류부에 의해 대용량 데이터로 분류된 데이터를 암호화하는 대용량 데이터 암호화부(423)를 포함한다.At this time, the encryption unit 420 includes a data classification unit 421 that classifies data transmitted and received through the secure communication channel as either low-capacity data or large-capacity data, and encrypts the data classified as low-capacity data by the data classification unit. It includes a low-capacity data encryption unit 422 and a large-capacity data encryption unit 423 that encrypts data classified as large-capacity data by the data classification unit.
데이터 분류부(421)는 미리 설정된 기준 데이터 크기값(예컨대 10mb)에 기초하여 데이터를 저용량 데이터 또는 대용량 데이터 중 어느 하나로 분류할 수 있다.The data classification unit 421 may classify data into either low-capacity data or large-capacity data based on a preset reference data size value (eg, 10mb).
도 4는 저용량 데이터 암호화부(422)에서 데이터를 암호화하는 구체적인 일 예가 도시된 도면이다.4 is a diagram showing a specific example of encrypting data in the low-capacity data encryption unit 422 .
도시된 바와 같이 저용량 데이터 암호화부(422)는 상기 보안 통신 채널을 통해 송수신되는 데이터가 저용량 데이터인 것으로 판단되면, 상기 보안 허브 모듈로 수신되는 데이터의 수신 시각을 이진수로 변환하고, 변환된 이진수를 두 구간으로 분할하한다.As shown, when it is determined that data transmitted and received through the secure communication channel is low-capacity data, the low-capacity data encryption unit 422 converts the reception time of the data received through the secure hub module into a binary number, and converts the converted binary number into a binary number. Divide into two sections.
예컨대, 저용량 데이터 암호화부(422)는 변환된 이진수가 여덟 자리 숫자인 경우, 앞에서부터 4 개의 이진수가 제1 구간에 포함되도록 하고, 이후 4개의 이진수가 제2 구간에 포함되도록 한다. 만약, 변환된 이진수가 모두 홀수 개인 경우, 제1 구간에 1개의 이진수가 더 포함되도록 설정할 수 있다. 예컨대 변환된 이진수가 9자리 숫자인 경우, 앞에서부터 5개의 이진수가 제1 구간에 포함되도록 하고, 이후 4개의 이진수가 제2 구간에 포함되도록 한다.For example, when the converted binary number is an eight-digit number, the low-capacity data encryption unit 422 causes the first four binary numbers to be included in the first section, and then allows the four binary numbers to be included in the second section. If all of the converted binary numbers are odd, it may be configured to include one more binary number in the first interval. For example, when the converted binary number is a 9-digit number, 5 binary numbers from the beginning are included in the first section, and then 4 binary numbers are included in the second section.
이후, 저용량 데이터 암호화부(422)는 제1 구간에 포함된 이진수를 십진수로 변환한 제1 변수와, 제2 구간에 포함된 이진수를 십진수로 변환한 제2 변수를 생성하고, 제1 변수와 가장 가까운 제1 소수와, 제2 변수와 가장 가까운 제2 소수를 설정하고, 설정된 상기 제1 소수 및 상기 제2 소수를 이용하여 개인 키 및 공개 키를 생성하고, 생성된 개인 키 및 공개 키를 이용하여 상기 데이터를 암호화한다.Thereafter, the low-capacity data encryption unit 422 generates a first variable obtained by converting the binary number included in the first section into a decimal number and a second variable obtained by converting the binary number included in the second section into a decimal number, and A first prime number closest to a second prime number and a second prime number closest to a second variable are set, a private key and a public key are generated using the set first prime number and the second prime number, and the generated private key and public key are use to encrypt the data.
대용량 데이터 암호화부(422)는 이미지, 동영상 등과 같이 비교적 대용량의 데이터를 암호화한다.The mass data encryption unit 422 encrypts relatively large amounts of data such as images and videos.
일 실시예에서, 대용량 데이터 암호화부(422)는 도 5에 도시된 바와 같이 대용량 데이터를 복수의 시드 블록으로 분할하고, 분할된 각각의 시드 블록을 미리 설정된 블록암호 알고리즘을 통해 암호화할 수 있다.In one embodiment, as shown in FIG. 5 , the bulk data encryption unit 422 may divide the bulk data into a plurality of seed blocks and encrypt each of the divided seed blocks through a preset block cipher algorithm.
여기서, 미리 설정된 블록암호 알고리즘은 입출력 처리 기본 단위(블록 크기)가 128bits, 입력키의 크기가 128bits, 라운드 수가 16라운드인 블록 암호 알고리즘인 SEED 표준화 알고리즘일 수 있으나, 이에 한정되는 것은 아니며 그 외에도 표준화되어 널리 사용되고 있는 다양한 블록 암호화 알고리즘이 적용될 수도 있다.Here, the preset block cipher algorithm may be the SEED standardization algorithm, which is a block cipher algorithm in which the input/output processing basic unit (block size) is 128 bits, the size of the input key is 128 bits, and the number of rounds is 16 rounds, but is not limited thereto. Various block encryption algorithms that have been widely used may be applied.
몇몇 다른 실시예에서, 대용량 데이터 암호화부(422)는 다른 암호화 방법으로 대용량 데이터를 암호화한다.In some other embodiments, the bulk data encryption unit 422 encrypts the bulk data with another encryption method.
이를 위해, 대용량 데이터 암호화부(422)는 관심영역 설정부 및 변환부를 포함한다.To this end, the mass data encryption unit 422 includes a region of interest setting unit and a conversion unit.
관심영역 설정부는 촬영영상의 전체 영역 중 암호화될 영역을 관심영역으로 설정한다.The region of interest setting unit sets a region to be encrypted among the entire regions of the captured image as the region of interest.
즉, 관심영역 설정부는 이미지 형태의 대용량 데이터를 영상 분석하여, 원본 이미지의 전체 영역 중 암호화가 필요한 특징적인 부분을 검출함으로써, 후술하게 될 변환부가 설정된 영역에 대해서만 부분적으로 암호화하도록 하여 데이터 처리에 요구되는 연산량 및 시간을 단축시킬 수 있다.That is, the region-of-interest setting unit performs image analysis on large-volume data in the form of an image, and detects a characteristic part requiring encryption among the entire region of the original image, so that the conversion unit to be described later partially encrypts only the set region and requests data processing. It is possible to reduce the amount of computation and time to be performed.
이를 위해, 일 실시예에서, 관심영역 설정부는 원본 이미지를 구성하는 복수의 객체를 추출하고, 추출된 복수의 객체 중 미리 학습된 객체에 대응되는 객체를 특징객체로 설정하고, 설정된 상기 특징객체가 포함되도록 상기 관심영역을 설정하는 것을 특징으로 한다.To this end, in one embodiment, the region of interest setting unit extracts a plurality of objects constituting the original image, sets an object corresponding to a pre-learned object among the plurality of extracted objects as a feature object, and sets the feature object It is characterized in that the region of interest is set to be included.
일 실시예에서, 관심영역 설정부는 촬영영상으로부터 특징벡터를 추출하고, 추출된 특징벡터를 미리 학습된 인공 신경망의 입력값을 입력하여, 이에 대한 출력값을 기초로 촬영영상에 포함된 복수의 객체를 구분할 수 있다. 이러한 인공 신경망을 이용한 객체 검출 방법은 영상처리 분야에서 널리 사용되고 있는 기술이므로, 구체적인 설명은 생략하기로 한다.In one embodiment, the region of interest setting unit extracts a feature vector from the captured image, inputs the extracted feature vector as an input value of an artificial neural network that has been trained in advance, and selects a plurality of objects included in the captured image based on the output value. can be distinguished. Since the object detection method using such an artificial neural network is a technique widely used in the image processing field, a detailed description thereof will be omitted.
일 실시예에서, 관심영역 설정부는 이미지 데이터에 대한 히스토그램(histogram)을 이용하여 관심영역을 설정할 수 있다.In one embodiment, the ROI setting unit may set the ROI using a histogram of image data.
히스토그램은 영상의 픽셀들에 대한 명암값의 분포를 나타내는 정보이다.The histogram is information representing the distribution of contrast values for pixels of an image.
관심영역 설정부는 촬영영상을 구성하는 픽셀들에 대한 전체 히스토그램과, 촬영영상의 소정 영역에 대한 부분적인 히스토그램을 생성할 수 있다. The ROI setting unit may generate an entire histogram of pixels constituting the captured image and a partial histogram of a predetermined region of the captured image.
관심영역 설정부는 원본 이미지를 R, G, B 채널로 분리하고, 분리된 각각의 채널에 대하여 가로축을 256의 밝기 편차를 갖는 256 gray level 영상의 명암 값을 나타내고, 세로축을 각 명암 값의 빈도 수를 나타내는 히스토그램을 생성할 수 있다. 히스토그램을 생성하는 구체적인 방법은 기 공지된 기술이므로, 더 이상의 구체적인 설명은 생략하기로 한다.The region of interest setting unit separates the original image into R, G, and B channels, and for each of the separated channels, the horizontal axis represents the contrast value of a 256 gray level image with a brightness deviation of 256, and the vertical axis represents the frequency of each contrast value. A histogram representing can be created. Since a specific method for generating a histogram is a known technique, further detailed description will be omitted.
관심영역 설정부는 원본 이미지에 대한 전체 히스토그램 및 부분 히스토그램을 이용하여 관심영역을 추출하기 위한 컨벌루션 필터를 선택할 수 있다.The ROI setting unit may select a convolution filter for extracting the ROI using the full histogram and partial histogram of the original image.
컨벌루션 필터는 기준 프레임의 관심 영역에 해당되는 이미지인 기준 이미지를 다양한 효과로 처리하기 위하여 사용되는 임의의 픽셀 사이즈로 구성된 행렬이며, 이미지 커널(image kernel) 또는 컨벌루션 커널(convolution kernel)로도 불리운다. 관심영역 설정부는 다양한 종류의 컨벌루션 필터가 저장되어 있으며, 예를 들어 블러링(blurring), 샤프닝(sharpening), 윤곽선 처리(outlining) 및 엠보싱(embossing) 컨벌루션 필터를 포함할 수 있다. 이 외에도, 영상 처리 장치(100)는 사용자로부터 설정되거나 외부 장치로부터 수집된 다양한 형태의 컨벌루션 필터를 더 포함할 수 있다A convolution filter is a matrix composed of arbitrary pixel sizes used to process a reference image, which is an image corresponding to a region of interest in a reference frame, with various effects, and is also called an image kernel or a convolution kernel. The region of interest setting unit stores various types of convolution filters, and may include, for example, blurring, sharpening, outlining, and embossing convolution filters. In addition to this, the image processing device 100 may further include various types of convolution filters set by the user or collected from external devices.
관심영역 설정부는 촬영영상에 컨벌루션 필터를 적용하여 출력 이미지를 생성할 수 있다. 구체적으로, 관심영역 설정부는 3X3 행렬로 구성된 컨벌루션 필터들이 저장될 수 있으며, 각각의 컨벌루션 필터는 행렬 요소별로 수치값이 설정될 수 있다. 예컨대, 컨벌루션 필터는 왼쪽 상단부터 순차적으로 1, 0, 1, 0, 1, 0, 1, 0, 1의 값이 설정될 수 있다.The ROI setting unit may generate an output image by applying a convolution filter to the photographed image. Specifically, the region of interest setting unit may store convolution filters composed of a 3X3 matrix, and a numerical value may be set for each convolution filter for each matrix element. For example, values of 1, 0, 1, 0, 1, 0, 1, 0, 1 may be sequentially set from the top left of the convolution filter.
관심영역 설정부는 기준 이미지를 구성하는 어느 하나의 픽셀 및 해당 픽셀의 주변 픽셀들과 컨벌루션필터를 컨벌루션 연산하여 해당 픽셀의 출력값을 산출하며, 산출된 출력값을 이용하여 관심영역을 설정할 수 있다.The region-of-interest setting unit calculates an output value of the corresponding pixel by performing a convolution operation with a convolution filter with any one pixel constituting the reference image and pixels adjacent to the corresponding pixel, and may set the region of interest using the calculated output value.
예컨대, 관심영역 설정부는 미리 저장된 기준값과 픽셀별로 산출된 출력값을 비교하여 기준값과 가장 유사한 출력값을 가진 어느 하나의 픽셀을 선택하고, 선택된 픽셀을 기준으로 소정 반경 내의 영역을 관심영역으로 설정할 수 있다.For example, the ROI setting unit may compare a previously stored reference value with an output value calculated for each pixel, select a pixel having an output value most similar to the reference value, and set an area within a predetermined radius based on the selected pixel as the ROI.
변환부는 관심영역 설정부에서 설정된 상기 관심영역에 포함된 모든 픽셀을 재배치하고, 재배치된 픽셀의 원래 위치 및 변경된 위치를 블록체인을 이용하여 암호화한다.The conversion unit rearranges all pixels included in the ROI set by the ROI setting unit, and encrypts the original and changed locations of the rearranged pixels using a blockchain.
변환부는 미리 정해진 퍼즐화 패턴을 이용하여 원래의 위치와는 다른 위치로 관심영역 내의 픽셀들을 이동시킬 수 있다. 또는, 변환부는 미리 정해진 패턴이 아닌 임의의 위치로 각각의 픽셀을 재배열할 수 있다.The conversion unit may move the pixels in the region of interest to a position different from the original position by using a predetermined jigsaw pattern. Alternatively, the conversion unit may rearrange each pixel in an arbitrary position other than a predetermined pattern.
이후, 변환부는 상기 관심 영역의 픽셀 사이즈에 기초하여 개인 키를 생성하고, 생성된 상기 개인 키에 기초하여 공개 키를 생성하고, 상기 관심영역에 포함된 픽셀의 원래 위치로부터 변경된 위치를 나타내는 트랜잭션 정보를 해시 함수를 이용하여 해시값으로 변환하고, 상기 개인 키를 이용하여 상기 해시값을 암호화함으로써 상기 트랜잭션 정보에 대한 전자서명을 생성한다. 이와 같은 변환부의 구체적인 기능은 후술하기로 한다.Thereafter, the conversion unit generates a private key based on the pixel size of the region of interest, generates a public key based on the generated private key, and transaction information indicating a changed position of a pixel included in the region of interest from the original position. Converts to a hash value using a hash function, and generates a digital signature for the transaction information by encrypting the hash value using the private key. A specific function of the conversion unit will be described later.
일 실시예에서, 상기 변환부는, 상기 관심영역의 가로축 픽셀의 개수를 카운팅하여 제3 변수를 생성하고, 상기 관심영역의 세로축 픽셀의 개수를 카운팅하여 제4 변수를 생성한다.In an embodiment, the conversion unit generates a third variable by counting the number of pixels on the horizontal axis of the region of interest, and generates a fourth variable by counting the number of pixels on the vertical axis of the region of interest.
변환부는 상기 제3 변수와 가장 가까운 소수를 제3 소수로 설정하고, 상기 제4 변수와 가장 가까운 소수를 제4 소수로 설정하며, 설정된 상기 제3 소수 및 상기 제4 소수를 이용하여 상기 개인 키 및 상기 공개 키를 생성하는 것을 특징으로 한다.The conversion unit sets a prime number closest to the third variable as a third prime number, sets a prime number closest to the fourth variable as a fourth prime number, and uses the set third and fourth prime numbers to generate the private key. and generating the public key.
즉, 변환부는 비대칭 암호화 방법을 통해 픽셀들의 위치가 재배열된 관심영역을 암호화할 수 있다.That is, the conversion unit may encrypt the region of interest in which positions of pixels are rearranged through an asymmetric encryption method.
이러한 개인 키-공개 키 생성 방법은 RSA 암호화 알고리즘을 이용한 것으로, RSA 암호화 알고리즘은 널리 공개된 기술이므로 구체적인 공개 키 생성 과정은 생략하기로 한다.This private key-public key generation method uses the RSA encryption algorithm, and since the RSA encryption algorithm is a widely publicized technology, a detailed public key generation process will be omitted.
이러한 경우, 변환부는 생성된 공개 키를 보안 채널을 통해 다른 IoT 기기로 전송하여, IoT 기기들은 암호화된 데이터를 수신하게 되면 변환부로부터 수신된 공개 키를 이용하여 복호화할 수 있다.In this case, the conversion unit transmits the generated public key to other IoT devices through a secure channel, and when the IoT devices receive the encrypted data, they can decrypt it using the public key received from the conversion unit.
다른 실시예에서, 변환부는 촬영영상에 대한 제1 히스토그램과, 관심영역에 대한 제2 히스토그램을 생성하고, 상기 제1 히스토그램을 분석하여 가장 빈도수가 높은 밝기값을 제1 변수로 설정하고, 상기 제2 히스토그램을 분석하여 가장 빈도수가 높은 밝기값을 제2 변수로 설정하며, 설정된 상기 제1 소수 및 상기 제2 소수를 이용하여 상기 개인 키 및 상기 공개 키를 생성한다.In another embodiment, the conversion unit generates a first histogram for the captured image and a second histogram for the region of interest, analyzes the first histogram, sets a brightness value with the highest frequency as a first variable, and sets the first histogram to the first histogram. 2 The histogram is analyzed, the brightness value having the highest frequency is set as a second variable, and the private key and the public key are generated using the set first and second prime numbers.
이때, 변환부(300)는 상기 제1 변수와 상기 제2 변수가 동일한 밝기값인 경우, 상기 제2 히스토그램에서 차순위 빈도수가 높은 밝기값을 제2 변수로 재설정하는 것을 특징으로 한다.In this case, when the first variable and the second variable have the same brightness value, the conversion unit 300 resets a brightness value having a higher next-order frequency in the second histogram as a second variable.
특히, 본 발명에 따른 변환부는 암호화되는 이미지 데이터의 개수가 미리 정해진 개수만큼 누적 저장될 때까지 상기 데이터의 전송 과정을 보류하고 있다가, 암호화된 이미지 데이터의 개수가 미리 정해진 개수만큼 누적 저장된 것으로 확인되면, 누적 저장된 데이터 그룹의 특징을 나타내는 변수 데이터를 설정하고, 설정된 변수 데이터에 기초하여 상기 이미지 데이터를 암호화하는 것을 특징으로 한다.In particular, the conversion unit according to the present invention holds the transmission process of the data until the number of image data to be encrypted is accumulated and stored by a predetermined number, and then confirms that the number of encrypted image data is accumulated and stored by a predetermined number. , variable data representing characteristics of the accumulated and stored data group is set, and the image data is encrypted based on the set variable data.
이를 위해, 변환부는 누적 저장된 수집 데이터를 데이터 그룹으로 묶어 전송할 데이터 그룹을 추출하고, 추출된 데이터 그룹의 특징에 따른 변수 데이터를 설정하며, 설정된 변수 데이터를 각각의 수집 데이터에 연결킨 변형 데이터를 생성하며, 생성된 변형 데이터를 해쉬 함수를 통해 해쉬 값으로 변환시켜 블록체인 네트워크로 등록한다.To this end, the conversion unit bundles the accumulated and stored collected data into data groups, extracts data groups to be transmitted, sets variable data according to the characteristics of the extracted data groups, and creates transformed data that connects the set variable data to each collected data. The generated transformed data is converted into a hash value through a hash function and registered in the blockchain network.
이때, 본 발명에 따른 변환부는 관리자 단말로부터 수신된 기준값을 기초로 변수 데이터를 생성하고, 이를 기초로 이미지 데이터를 해쉬 값으로 변환함으로써 이미지 데이터의 보안성이 향상될 수 있다. In this case, the conversion unit according to the present invention generates variable data based on the reference value received from the manager terminal, and converts the image data into a hash value based on the variable data, so that security of the image data can be improved.
즉, 사용자가 아닌 제3자가 이미지 데이터를 중간에서 획득하더라도, 이미지 데이터의 핵심적인 특징을 차지하는 관심영역 부분의 픽셀이 재배열되어 있어 원본 데이터의 확인이 어려우며, 개인 키 및 공개 키는 관심영역의 특징에 의해 매번 새롭게 생성되기 때문에 외부에서 개인 키 및 공개 키를 알아내기 어렵다는 장점이 있다.That is, even if a third party other than the user obtains the image data from the middle, it is difficult to verify the original data because the pixels of the region of interest, which is the core feature of the image data, are rearranged. Because it is newly generated every time by the characteristic, it has the advantage that it is difficult to find out the private key and public key from the outside.
이와 같은 기술은 애플리케이션으로 구현되거나 다양한 컴퓨터 구성요소를 통하여 수행될 수 있는 프로그램 명령어의 형태로 구현되어 컴퓨터 판독 가능한 기록 매체에 기록될 수 있다. 상기 컴퓨터 판독 가능한 기록 매체는 프로그램 명령어, 데이터 파일, 데이터 구조 등을 단독으로 또는 조합하여 포함할 수 있다.Such technology may be implemented as an application or implemented in the form of program instructions that can be executed through various computer components and recorded on a computer-readable recording medium. The computer readable recording medium may include program instructions, data files, data structures, etc. alone or in combination.
상기 컴퓨터 판독 가능한 기록 매체에 기록되는 프로그램 명령어는 본 발명을 위하여 특별히 설계되고 구성된 것들이거니와 컴퓨터 소프트웨어 분야의 당업자에게 공지되어 사용 가능한 것일 수도 있다.Program instructions recorded on the computer-readable recording medium may be those specially designed and configured for the present invention, or those known and usable to those skilled in the art of computer software.
컴퓨터 판독 가능한 기록 매체의 예에는, 하드 디스크, 플로피 디스크 및 자기 테이프와 같은 자기 매체, CD-ROM, DVD 와 같은 광기록 매체, 플롭티컬 디스크(floptical disk)와 같은 자기-광 매체(magneto-optical media), 및 ROM, RAM, 플래시 메모리 등과 같은 프로그램 명령어를 저장하고 수행하도록 특별히 구성된 하드웨어 장치가 포함된다.Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tapes, optical recording media such as CD-ROMs and DVDs, and magneto-optical media such as floptical disks. media), and hardware devices specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like.
프로그램 명령어의 예에는, 컴파일러에 의해 만들어지는 것과 같은 기계어 코드뿐만 아니라 인터프리터 등을 사용해서 컴퓨터에 의해서 실행될 수 있는 고급 언어 코드도 포함된다. 상기 하드웨어 장치는 본 발명에 따른 처리를 수행하기 위해 하나 이상의 소프트웨어 모듈로서 작동하도록 구성될 수 있으며, 그 역도 마찬가지이다.Examples of program instructions include high-level language codes that can be executed by a computer using an interpreter or the like as well as machine language codes such as those produced by a compiler. The hardware device may be configured to act as one or more software modules to perform processing according to the present invention and vice versa.
이상에서는 실시예들을 참조하여 설명하였지만, 해당 기술 분야의 숙련된 당업자는 하기의 특허 청구범위에 기재된 본 발명의 사상 및 영역으로부터 벗어나지 않는 범위 내에서 본 발명을 다양하게 수정 및 변경시킬 수 있음을 이해할 수 있을 것이다.Although the above has been described with reference to embodiments, it will be understood that those skilled in the art can variously modify and change the present invention without departing from the spirit and scope of the present invention described in the claims below. You will be able to.

Claims (3)

  1. 사물 인터넷을 구성하는 IoT 디바이스 간 보안 통신 채널을 형성하여 보안 통신 채널을 통해 송수신되는 데이터를 데이터 크기에 따라 서로 다른 방법으로 암호화하는 보안 허브 모듈을 포함하는, 대용량 데이터의 보안 처리 시스템.A secure processing system for large amounts of data, including a secure hub module that forms a secure communication channel between IoT devices constituting the Internet of Things and encrypts data transmitted and received through the secure communication channel in different ways according to the size of the data.
  2. 제1항에 있어서,According to claim 1,
    상기 보안 허브 모듈은,The secure hub module,
    통신이 요구되는 IoT 디바이스 간 보안 통신 채널을 설정하는 채널 설정부; 및A channel setting unit for setting a secure communication channel between IoT devices requiring communication; and
    미리 설정된 암호화 알고리즘을 통해 보안 통신 채널을 통해 IoT 디바이스로 송수신되는 데이터를 암호화하는 암호화부를 포함하는, 대용량 데이터의 보안 처리 시스템.An encryption unit for encrypting data transmitted to and received from an IoT device through a secure communication channel through a preset encryption algorithm, a system for processing large-capacity data security.
  3. 제2항에 있어서,According to claim 2,
    상기 암호화부는,The encryption unit,
    상기 보안 통신 채널을 통해 송수신되는 데이터를 저용량 데이터 또는 대용량 데이터 중 어느 하나로 구분하는 데이터 분류부; 및a data classification unit that classifies data transmitted and received through the secure communication channel as either low-capacity data or large-capacity data; and
    상기 보안 통신 채널을 통해 송수신되는 데이터가 대용량 데이터인 것으로 판단되면, 대용량 데이터를 복수의 블록으로 분할하고, 분할된 각각의 블록을 미리 설정된 블록암호 알고리즘을 이용하여 암호화하는 대용량 데이터 암호화부를 포함하는, 대용량 데이터의 보안 처리 시스템.When it is determined that the data transmitted and received through the secure communication channel is large-capacity data, a large-capacity data encryption unit that divides the large-capacity data into a plurality of blocks and encrypts each of the divided blocks using a preset block cipher algorithm, A secure processing system for large amounts of data.
PCT/KR2022/019175 2021-11-30 2022-11-30 System for managing security of large amount of data WO2023101399A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2021-0169399 2021-11-30
KR1020210169399A KR102376435B1 (en) 2021-11-30 2021-11-30 Internet of Things Security System

Publications (1)

Publication Number Publication Date
WO2023101399A1 true WO2023101399A1 (en) 2023-06-08

Family

ID=80936792

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2022/019175 WO2023101399A1 (en) 2021-11-30 2022-11-30 System for managing security of large amount of data

Country Status (2)

Country Link
KR (1) KR102376435B1 (en)
WO (1) WO2023101399A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102376435B1 (en) * 2021-11-30 2022-03-18 주식회사 시옷 Internet of Things Security System

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011186631A (en) * 2010-03-05 2011-09-22 Mitsubishi Electric Corp File transfer system and file transfer method
US9325723B2 (en) * 2014-04-16 2016-04-26 Daegu Gyeongbuk Institute Of Science And Technology Proximity service security system and method using beacon
KR20180130203A (en) * 2017-05-29 2018-12-07 한국전자통신연구원 APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
KR102303689B1 (en) * 2016-05-27 2021-09-17 어페로, 인크. Systems and methods for establishing secure communication channels with Internet of Things (IoT) devices
KR102376435B1 (en) * 2021-11-30 2022-03-18 주식회사 시옷 Internet of Things Security System
KR102433640B1 (en) * 2021-11-30 2022-08-18 주식회사 시옷 Security processing system for large amounts of data

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011186631A (en) * 2010-03-05 2011-09-22 Mitsubishi Electric Corp File transfer system and file transfer method
US9325723B2 (en) * 2014-04-16 2016-04-26 Daegu Gyeongbuk Institute Of Science And Technology Proximity service security system and method using beacon
KR102303689B1 (en) * 2016-05-27 2021-09-17 어페로, 인크. Systems and methods for establishing secure communication channels with Internet of Things (IoT) devices
KR20180130203A (en) * 2017-05-29 2018-12-07 한국전자통신연구원 APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
KR102376435B1 (en) * 2021-11-30 2022-03-18 주식회사 시옷 Internet of Things Security System
KR102433640B1 (en) * 2021-11-30 2022-08-18 주식회사 시옷 Security processing system for large amounts of data

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHANG, HYE-YOUNG ET AL.: "A Study on Adaptive Cryptography Methods based on Context Information under Mobile Environment", PROCEEDINGS OF THE 27TH KOREA INFORMATION PROCESSING SOCIETY SPRING CONFERENCE, vol. 14, no. 1, May 2007 (2007-05-01), pages 1001 - 1004 *

Also Published As

Publication number Publication date
KR102376435B1 (en) 2022-03-18

Similar Documents

Publication Publication Date Title
Hosam et al. Hybrid design for cloud data security using combination of AES, ECC and LSB steganography
WO2023101399A1 (en) System for managing security of large amount of data
CN109309644B (en) Network watermarking method and system based on biorthogonal carrier
Chen et al. Generalized optical encryption framework based on Shearlets for medical image
CN113452688B (en) Image encryption and decryption method and device based on SM4 and SM2 algorithms
WO2023101401A1 (en) Vehicle software management system using ota
WO2023101069A1 (en) Security processing system for large amount of data
Lai et al. Practical encrypted network traffic pattern matching for secure middleboxes
CN113408707A (en) Network encryption traffic identification method based on deep learning
WO2023101400A1 (en) Vehicle information collection device
CN112561770A (en) Confrontation sample defense method based on fragile watermark
Liu et al. A survey on encrypted traffic identification
Roselinkiruba et al. Performance evaluation of encryption algorithm using fruit fly optimization improved hybridized seeker and PVD algorithm
Wang et al. TPE-ISE: approximate thumbnail preserving encryption based on multilevel DWT information self-embedding
Tanygin et al. Study of the Influence of the Unauthorized Blocks Number on the Collision Probability
CN114362988B (en) Network traffic identification method and device
Agniel et al. Image Processing for Detecting Botnet Attacks: A Novel Approach for Flexibility and Scalability
Jin et al. Video Sensor Security System in IoT Based on Edge Computing
WO2019066319A1 (en) Method of provisioning key information and apparatus using the method
kumar Singh et al. A robust color image encryption algorithm in dual domain using chaotic map
CN116684357A (en) Method and system for identifying transport layer security protocol encrypted traffic
Swain Advanced Digital Image Steganography Using LSB, PVD, and EMD: Emerging Research and Opportunities: Emerging Research and Opportunities
Alhelal et al. Systematic Analysis on the Effectiveness of Covert Channel Data Transmission
Kao et al. Automatic NIDS rule generating system for detecting HTTP-like malware communication
WO2024106789A1 (en) Device and method for determining malicious packet in encryption traffic on basis of artificial intelligence

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22901757

Country of ref document: EP

Kind code of ref document: A1