WO2023163506A1

WO2023163506A1 - System for controlling file transmission and reception of application, and method therefor

Info

Publication number: WO2023163506A1
Application number: PCT/KR2023/002544
Authority: WO
Inventors: 김영랑
Original assignee: 프라이빗테크놀로지 주식회사
Priority date: 2022-02-23
Filing date: 2023-02-22
Publication date: 2023-08-31
Also published as: KR102446933B1

Abstract

A node, according to one embodiment disclosed in the present document, comprises a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing an access control application and a target application. The memory may store instructions that, when executed by the processor, cause the node to: when a file IO access event of the target application is detected, check whether a data flow allocated to the target application exists, by means of the access control application; if the data flow allocated to the target application exists, identify the type of file IO of the target application by means of the access control application; if the identified type of file IO is writing, perform file decryption by means of the access control application; and if the identified type of file IO is reading, perform file encryption by means of the access control application.

Description

System for controlling file transmission and reception of application and method therefor

Mutual Citation with Related Applications

The present invention claims the benefit of priority based on Korean Patent Application No. 10-2022-0023474 filed on February 23, 2023, and includes all contents disclosed in the literature of the Korean patent application as part of this specification.

technology field

Embodiments disclosed in this document relate to a system and method for controlling file transmission and reception of an application.

Multiple devices may communicate data over a network. For example, the terminal may transmit or receive data with a server through the Internet. The network may include a private network such as an intranet as well as a public network such as the Internet.

The terminal performs communication with the server by utilizing IP (Internet Protocol)-based TCP (Transmission Control Protocol) or UDP (User Datagram Protocol), and controls the connection between the source IP and destination IP authorized in TCP or UDP technology. Firewall technology may be used. In the case of such IP communication, since there is a problem that IP can be forged or tampered with, in order to solve this problem, virtual private network (VPN) technology and tunneling technology for encrypting data packets between a terminal and a server are used.

When using a VPN based on tunneling technology, which is created at the terminal level or per IP unit assigned to the terminal, there is a vulnerability that unallowed or unsafe applications access the unallowed destination network through always-connected tunneling after initial authentication. , Security incidents caused by infiltration of various malware and ransomware are increasing. In order to solve this problem, an application connectivity control technology that allows only allowed applications to access the allowed network is applied to identify applications that are fundamental communication subjects and block access of disallowed applications in advance.

For example, in a state in which an allowed application can access a permitted network, it may not be possible to control the application's behavior of receiving or transmitting a file through the network. DLP (Data Loss Prevention) exists as a technology to solve this problem, and DLP prevents unauthorized media (e.g., USB or removable storage devices) from being connected or preventing sharing of a specific folder on the network. or, when a specific application selects a file for file transfer, prevents the file from being transferred by blocking the file from being selected, or when file input/output of a specific application occurs or when tracking file input/output, the user Data leakage can be prevented by removing the file input/output handle when the file does not have the file input/output authority.

Such DLP technology may not be able to prevent unauthorized media from being connected in an area where physical security control is unavailable and in a telecommuting environment using personally owned terminals where there is a limit to the application of security policies. Furthermore, the DLP technology that tracks a specific action may not be able to prevent, for example, a non-user malicious code directly loading and transmitting a file without a file selection window when the specific action is not performed. In addition, since the DLP technology, which tracks file input/output of a specific application, tracks file input/output targeting a specific application and blocks it collectively, it may be difficult to allow file transmission on a network connected by the application. In the case of DLP, which provides a way to release file input/output restrictions by identifying the access address window of the Internet browser, in the case of an application that does not have an access address window, network access information cannot be traced, so there are limitations in controlling file reception and transmission. There may be.

In addition, when uploading a file to a work server that exists on a controllable network by a terminal, file encryption is performed through a service application (or web application), or the file is uploaded without encryption processing, and the network and physical You can prevent files from being leaked through access control. In order to solve this problem, there is DRM (Digital Rights Management) technology as a technology for encrypting a file and decrypting the file only for an object that can read the file.

However, there are limits to network access control in environments such as cloud environments and software as a service applications, and defects in service applications (e.g., zero day attacks) are always exposed to the Internet due to the nature of the environment. )), brute force attack, or credential stuffing), or unauthorized access by the cloud or service provider (e.g. data mining and machine learning) to ensure the safety of uploaded files. may not be able to In addition, since DRM technology encrypts files uniformly, only files uploaded to the cloud are encrypted, and files are not encrypted when uploaded to a business server that exists on a controllable network. Depending on this, selective encryption may not be possible.

Therefore, when a target application uploads a file to a cloud environment that needs to protect the file, a technology that can encrypt the file uploaded to the cloud in a form that cannot be decrypted even if the file uploaded to the cloud is downloaded by a target other than the target having ownership is required. When a file is uploaded to a business server that exists on a network that is necessary and can be controlled by the target application, it is an optional file that does not perform separate encryption at the terminal so that the service application that exists on the server can process its own encryption. Encryption technology is required.

Various embodiments disclosed in this document are intended to provide a system and method for solving the above problems in a network environment.

A node according to an embodiment disclosed herein includes communication circuitry, a processor operatively connected to the communication circuitry, and a memory operatively connected to the processor and storing an access control application and a target application; When the node, when executed by the processor, detects a file IO access event of the target application, the memory checks whether a data flow allocated to the target application exists through the access control application, and the If there is a data flow allocated to the target application, through the access control application, the type of file IO of the target application is checked, and if the type of the checked file IO is write, through the access control application, When the file decryption process is performed and the type of the identified file IO is read, commands for performing the file encryption process may be stored through the access control application.

A server according to an embodiment disclosed in this document includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a database, wherein the memory comprises: When executed by a processor, the server receives a file decryption request from the access control application of the node, the file decryption request includes file identification information of a file input output (IO) target file, and the file identification information Check whether file IO table information for the target file exists in the database using the database, and if the file IO table information exists, check whether or not to decrypt the file based on the file IO table information, , Commands for transmitting a response indicating whether or not the file is decrypted for the target file to the access control application of the node may be stored.

A server according to an embodiment disclosed in this document includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a database, wherein the memory comprises: When executed by a processor, the server receives a file encryption request from the access control application of the node, the file encryption request includes file identification information of a file input output (IO) target file, and the file identification information Check whether file IO table information for the target file exists in the database using the database, and if the file IO table information exists, check whether the file is encrypted for the target file based on the file IO table information, , Commands for transmitting a response indicating whether or not the target file is encrypted to the access control application of the node may be stored.

In the method of operating a node according to an embodiment disclosed in this document, when a file IO access event of a target application of the node is detected, whether or not a data flow allocated to the target application exists through an access control application of the node. operation of checking, if there is a data flow allocated to the target application, operation of checking the type of file IO of the target application through the access control application, if the type of the checked file IO is write, An operation of performing a file decryption process through the access control application, and an operation of performing a file encryption process through the access control application when the type of the identified file IO is read.

A method of operating a server according to an embodiment disclosed in this document includes receiving a file decryption request from an access control application of a node, the file decryption request including file identification information of a file input output (IO) target file, An operation of checking whether file IO table information for the target file exists in the database of the server using the file identification information, and if the file IO table information exists, the target file based on the file IO table information and an operation of transmitting a response indicating whether or not the file has been decrypted for the target file to the access control application of the node.

A method of operating a server according to an embodiment disclosed in this document includes receiving a file encryption request from an access control application of a node, the file encryption request including file identification information of a file input output (IO) target file, An operation of checking whether file IO table information for the target file exists in the database of the server using the file identification information, and if the file IO table information exists, the target file based on the file IO table information It may include an operation of checking whether a file is encrypted for , and an operation of transmitting a response indicating whether or not the file is encrypted for the target file to the access control application of the node.

According to the embodiments disclosed in this document, it is possible to control file reception and transmission by application and network by checking whether to allow file input/output of the identified target and allowing file input/output only to the permitted connection target. do.

According to the embodiments disclosed in this document, when receiving or transmitting a file, the file may be selectively encrypted or decrypted according to the policy of the controller.

In addition to this, various effects identified directly or indirectly through this document may be provided.

1 illustrates an architecture within a network environment in accordance with various embodiments.

2 is a functional block diagram illustrating a database stored in a controller according to various embodiments.

3 illustrates control flow information, data flow information, and file IO table information among information included in a database according to various embodiments.

4 is a functional block diagram of a node in accordance with various embodiments.

5 describes an operation of controlling transmission of a data packet according to various embodiments.

6 shows a signal flow diagram for controller connection according to various embodiments.

7 illustrates a signal flow diagram for user authentication according to various embodiments.

8 illustrates a user interface screen for accessing a controller according to various embodiments.

9 illustrates a signal flow diagram for network access according to various embodiments.

10 is a flowchart illustrating an operation of a node for monitoring file input/output access according to various embodiments.

11 is a flowchart illustrating an operation of a node for examining a file input/output table according to various embodiments.

12 is a signal flow diagram for checking file write information according to various embodiments.

13 is a signal flow diagram for checking file read information according to various embodiments.

14 illustrates a flow diagram of an operation of a node for data packet transmission according to various embodiments.

15 illustrates a signal flow diagram for control flow update according to various embodiments.

16 illustrates a signal flow diagram for control flow cancellation according to various embodiments.

17 shows a signal flow diagram for data flow cancellation according to various embodiments.

Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, it should be understood that this is not intended to limit the present invention to the specific embodiments, and includes various modifications, equivalents, and/or alternatives of the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one item or a plurality of items, unless the context clearly dictates otherwise. In this document, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A, Each of the phrases such as "at least one of B or C" may include any one of the items listed together in the corresponding one of the phrases, or all possible combinations thereof. Terms such as "first", "second", or "first" or "secondary" may simply be used to distinguish a given component from other corresponding components, and may be used to refer to a given component in another aspect (eg, importance or order) is not limited. A (e.g., first) component is said to be "coupled" or "connected" to another (e.g., second) component, with or without the terms "functionally" or "communicatively." When mentioned, it means that the certain component may be connected to the other component directly (eg by wire), wirelessly, or through a third component.

Each component (eg, module or program) of the components described in this document may include singular or plural entities. According to various embodiments, one or more components or operations among the corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each of the plurality of components identically or similarly to those performed by a corresponding component of the plurality of components prior to the integration. . According to various embodiments, the actions performed by a module, program, or other component are executed sequentially, in parallel, iteratively, or heuristically, or one or more of the actions are executed in a different order, or omitted. or one or more other actions may be added.

The term "module" used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrally constructed component or a minimal unit of components or a portion thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of this document may be implemented as software (eg, a program or application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one command among one or more commands stored from a storage medium and execute it. This enables the device to be operated to perform at least one function according to the at least one command invoked. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-temporary' only means that the storage medium is a tangible device and does not contain a signal (e.g. electromagnetic wave), and this term refers to the case where data is stored semi-permanently in the storage medium. It does not discriminate when it is temporarily stored.

Methods according to various embodiments disclosed in this document may be included and provided in a computer program product. Computer program products may be traded between sellers and buyers as commodities. A computer program product is distributed in the form of a device-readable storage medium (eg compact disc read only memory (CD-ROM)), or through an application store or between two user devices (eg smartphones). It can be distributed (e.g., downloaded or uploaded) directly or online. In the case of online distribution, at least part of the computer program product may be temporarily stored or temporarily created in a device-readable storage medium such as a manufacturer's server, an application store server, or a relay server's memory.

1 illustrates an architecture within a network environment according to various embodiments.

The node 201 shown in FIG. 1 may be various types of devices capable of performing data communication. For example, the node 201 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, a virtual reality (VR) device, Or it may include a home appliance, but is not limited to the aforementioned devices. For example, node 201 may include a server or gateway capable of transmitting data packets through an application. The node 201 may also be referred to as an 'electronic device' or a 'terminal'.

Node 201 may store a plurality of target applications 211-1, 211-2, 211-3 and a connection control application 212.

Each of the target applications 211-1, 211-2, and 211-3 is directed to the service servers 205-1 and 205-2 through the gateways 203-1 and 203-2 under the control of the access control application 212. It can transmit data packets or conversely receive data packets.

Some of the targeted applications (211-1, 211-2, 211-3) are allowed and/or secured applications, such as web browsers or business applications, while others are disallowed programs (e.g. malware, ransomware). , other disallowed applications) or insecure malicious programs (applications infected with malicious code, counterfeit or tampered with). According to embodiments, the access control application 212 identifies a program (or target application, process of the target application) requesting data packet transmission, and transmits the data packet of the disallowed program to the outside of the node 201. can prevent it from happening. In addition, according to embodiments, the access control application 212 is a secure session (220-1, 220-2) between the access control application 212 and the gateways (203-1, 203-2) of the unauthorized program. Access to the service servers 205-1 and 205-2 may be blocked and corresponding programs may be quarantined.

For example, before the target applications 211-1, 211-2, and 211-3 according to embodiments communicate with the service servers 205-1 and 205-2, the access control application 212 controls the controller 202 ), whether access is possible, and if access is possible, authentication may be performed with the gateways 203-1 and 203-2 through data packets authenticated by the controller 202. When authentication is complete, the access control application 212 may create a secure session with the gateways 203-1 and 203-2 and the secure sessions 220-1 and 220-2.

According to various embodiments, the node 201 includes an access control application 212 and a network driver (not shown) for managing network access of the target applications 211-1, 211-2, and 211-3 stored in the node 201. city) may be included. For example, when an access event for the service server 205-1 or 205-2 of the target application 211-1, 211-2 or 211-3 stored in the node 201 occurs, the access control application 212 ) may determine whether the target applications 211-1, 211-2, and 211-3 are accessible. If the target applications 211-1, 211-2, and 211-3 are accessible, the access control application 212 connects to the gateways 203-1 and 203-2 through the secure sessions 220-1 and 220-2. data packets can be transmitted. The access control application 212 may control transmission of data packets within the node 201 through a kernel including an operating system and network drivers.

In addition, the access control application 212 may monitor and control file system input output (IO) in the kernel. File system IO refers to input and/or output generated by an arbitrary application (or arbitrary process) in the kernel's file system. The file system IO includes an operation of writing specific information to the file system, reading specific information of the file system, or updating the file system. For file system IO, any application (or any process) must acquire a handle (eg, file handle) to use the file system.

The access control application 212 uses a file system driver (not shown) or a file IO control module (not shown) capable of monitoring file system IO through hooking for file system IO events to monitor file system IO. can include File system IO can also be referred to as file IO.

The file IO control module may identify which of the target applications 211-1, 211-2, and 211-3 is accessing the file system (or accessing the file IO) by monitoring the file IO.

The file IO control module may check whether the application can access the file IO in association with a network to which the corresponding application is connected through identification information and a process identifier (PID) of the application related to the data flow. The file IO control module, when the application cannot access the file IO, processes the application so that it can no longer access the file IO, allowing the node 201 to control file transmission and file reception in detail. The file IO control module can remove the file IO handle so that the application can no longer access the file IO when the application cannot access the file IO. Removal of a file IO handle may also be referred to as file IO removal.

The controller 202 may be, for example, a server (or cloud server). The controller 202 manages data transmission between the node 201, the gateways 203-1 and 203-2, and the service servers 205-1 and 205-2 to ensure reliable data transmission within the network environment. can For example, the controller 202 may allow the network access of the authorized node 201 (or the access control application 212) through policy information or blacklist information.

In addition, the controller 202 mediates the creation of secure sessions 220-1 and 220-2 between the access control application 212 and the gateways 203-1 and 203-2, or the node 201 or the gateway 203 According to the security events collected from -1 and 203-2, the security sessions 220-1 and 220-2 may be removed. The access control application 212 can communicate with the service servers 205-1 and 205-2 only through the security sessions 220-1 and 220-2 authorized by the controller 202, and the authorized security session ( If the nodes 220-1 and 220-2 do not exist, network access of the node 201 and the access control application 212 may be blocked. In one embodiment, the target applications 211-1, 211-2, and 211-3 may access the service servers 205-1 and 205 only through the secure sessions 220-1 and 220-2 authorized by the controller 202. -2), and if there is no authorized secure session (220-1, 220-2), the network access of the target applications (211-1, 211-2, 211-3) is the access control application (212 ), can be blocked from the controller 202 or gateway 203. According to one embodiment, the controller 202 is an access control application (eg, registration, approval, authentication, renewal, termination) associated with network access of the node 201 or access control application 212 212) and control data packets can be transmitted and received. A flow through which the control data packet is transmitted (eg, 230) may be referred to as a 'control flow'.

The gateways 203-1 and 203-2 may be located at the boundary of the network to which the node 201 belongs or the boundary of the network to which the service servers 205-1 and 205-2 belong. According to one embodiment, the gateways 203-1 and 203-2 may be connected to the controller 202 based on a cloud. The gateways 203-1 and 203-2 may forward only authorized data packets among data packets received from the access control application 212 to the service servers 205-1 and 205-2. A flow in which data packets are transmitted between the access control application 212 and the gateways 203-1 and 203-2 (eg, 240-1 and 240-2) may be referred to as a 'data flow'. .

Data flows can be created not only on a node or IP basis, but also on a more granular basis (e.g., on an application basis). The gateways 203-1 and 203-2 are connected to the access control application 212 prior to the creation of secure sessions 220-1 and 220-2 between the access control application 212 and the gateways 203-1 and 203-2. By performing authentication and forwarding only the data packets transmitted through the secure sessions 220-1 and 220-2 among the data packets transmitted from the access control application 212 to the service servers 205-1 and 205-2, indiscriminate prevention Network access can be blocked in advance.

2 is a functional block diagram showing a database stored in the controller 202 according to various embodiments, and FIG. 3 shows control flow information 340, data flow information 350, and file IO table information among information included in the database ( 360).

Referring to FIG. 2 , the controller 202 may store databases 311 to 317 for controlling network access and data transmission in a memory 330 . Although FIG. 2 shows only the memory 330, the controller 202 may include an external electronic device (e.g., node 201 in FIG. 1, gateways 203-1 and 203-2) or service servers 205-1 and 205- 2)) further includes a communication circuit (eg, the communication circuit 430 of FIG. 4 ) and a processor (eg, the processor 410 of FIG. 4 ) for controlling the overall operation of the controller 202 for performing communication with the can do. Since the administrator can connect to the controller 202 and set a connection-oriented policy for controlling access between the access control application 212 and the service servers 205-1 and 205-2, the service side manages the session. You can control network access more precisely and securely.

The access policy database 311 may include information about networks and/or services to which the identified networks, nodes, or applications may access. For example, the controller 202, when requesting network access from the access control application 212, identifies a network (eg, a network to which the node 201 belongs), a node, and a user based on a policy of the access policy database 311. (eg, a user of the node 201), and/or an application (eg, a target application 211-1, 211-2, or 211-3 included in the node 201) service servers 205-1, 205 It is possible to determine whether access to -2) is possible. In one embodiment, the controller 202 sets a whitelist of target applications 211-1, 211-2, and 211-3 that can be accessed by a specific service (eg, IP and port) based on the access policy database 311. can create

The file IO policy database 312 is associated with an access policy and may include information for establishing a file IO policy for the target applications 211-1, 211-2, and 211-3. For example, the file IO policy database 312 includes information on whether or not to allow file reception and transmission of the target applications 211-1, 211-2, and 211-3, and terminals (eg, nodes). (201)) may include access authority information for each file associated with identification information of the user, terminal, application, and network regarding whether to allow file writing or file reading with respect to the requested file. In addition, the file IO policy database 312 may include whether to encrypt a file, whether to encrypt a file, an algorithm to be used when encrypting and decrypting a file, and information on generating a file encryption and decryption key.

The blacklist policy database 313 is a target identified through analysis of the risk, occurrence cycle, and/or behavior of security events among security events periodically collected by the node 201 or the gateways 203-1 and 203-2 ( Example: A blacklist registration policy for blocking access of at least one of a node identifier (ID), an IP address, a media access control (MAC) address, or a user ID) may be indicated.

The blacklist database 314 may include a list of objects blocked by the blacklist policy database 313 . For example, the controller 202 may isolate the node 201 by denying the network access request when identification information of the node 201 requesting network access is included in the blacklist database 314 .

The control flow table 315 is an example of a session table for managing the flow of control data packets generated between the connection control application 212 and the controller 202 (ie, control flow).

For example, referring to FIG. 3 , when the access control application 212 successfully accesses the controller 202, control flow information 340 and control flow ID 342 (also referred to as 'control flow identification information') may) be generated by the controller 202 . The control flow information 340 may include identification information 344 indicating at least one of an IP identified during controller access and authentication, a node, an application, or an object additionally identified through association with a service server. For example, when a network access request from the access control application 212 is received, the controller 202 converts the control flow ID and identification information included in the access request to the control flow ID 342 and control flow ID 342 included in the control flow information 340. By mapping with the identification information 344, it is possible to connect the access control application 212 to the service servers 205-1 and 205-2 and to create secure sessions 220-1 and 220-2 with the gateway 203. It is possible to determine whether a data flow can be created for State information 346 may indicate various states such as creation, authentication, renewal, termination, and the like of the control flow.

According to one embodiment, since the control flow has an expiration time, the node 201 needs to update the expiration time of the control flow based on the time information 348, and if the expiration time is not updated for a certain period of time, the control flow ( Alternatively, the control flow information 340 may be removed. In addition, it is determined that immediate blocking of access is necessary according to the node 201, the access control application 212, other security applications (not shown), or security events collected from the gateways 203-1 and 203-2; When a connection termination request is received from them, the controller 202 may remove the control flow. When the control flow is removed, the associated data flow is also removed, and the gateways 203-1 and 203-2 connect the access control application 212 or the service server 205 of the target applications 211-1, 211-2 and 211-3. -1, 205-2) can be blocked.

The data flow table 316 is a flow (e.g., data flow ) is a table for managing Data flows can be created in TCP sessions, applications, or more granular units. The data flow table 316 may include an application ID, destination IP address, and/or service port for identifying whether a data packet transmitted from a source is an authorized data packet.

Referring to FIG. 3 , data flow information 350 may include a data flow ID 351 and a control flow ID 352 when the data flow is dependent on the control flow. In addition, the data flow information 350 includes authorized destination information 353 for determining forwarding of the data packet based on the source IP and destination IP and port of the data packet, a state indicating whether the data flow is in a valid state that can be used information 355 and/or time information 356 representing authentication expiration time information of the data flow. In addition, the data flow information 350 may further include authorized file IO information 354 . The authorized file IO information 354 may include information on whether to allow file IO access (eg, access such as read and write) of an application. For example, the authorized file IO information 354 may include information on whether writing is possible and writable path information at the time of file IO for file reception by an application. For example, the authorized file IO information 354 may include readable information and readable path information at the time of file IO for file transmission by an application. Also, for example, the authorized file IO information 354 includes information about whether the application applying the data flow allows file IO (eg, file IO processing exception). For example, the authorized file IO information 354 depends on whether the controller 202 needs to check the file write information when the application writes a file, and whether the file read information needs to be checked by the controller 202 when the application reads a file. information may be included. Also, for example, the authorized file IO information 354 may include whether file encryption is required and whether file decryption is required.

The file IO table 317 is a database for recording and managing file IOs generated by the node 201, and may include file IO table information 360.

Referring to FIG. 3 , the file IO table information 360 includes a PID 361 of a process in which file system IO occurs and application identification information 362 for identifying an application (eg, application name and execution path, unique information, etc.) ) may be included. The file IO table information 360 may include a data flow ID 363 for association with network access control information when a file system IO occurs while the data flow is identified. The file IO table information 360 includes file IO information 364 about the type of file system IO (e.g., reading and/or writing), a key to be used when encrypting and decrypting a file, and types of encryption and decryption algorithms. file information 366 including encryption/decryption information 365, path where file system IO occurred, file name, and/or unique information for managing files (eg, hash and signature, header information, etc.), file IO termination, whether to release file IO according to disallowed file IO, whether a file read request (or 'request to check file read information') is required, and a file write request (or 'request to check file write information') It can be referred to as.) State information 367 including information on whether it is needed, and/or file IO time information 368 indicating the time at which file IO occurred.

4 shows a functional block diagram of node 201 according to various embodiments. At least some of the configurations shown in FIG. 4 may be applied to the controller 202, gateways 203-1 and 203-2, or service servers 205-1 and 205-2.

Referring to FIG. 4 , a node 201 may include a processor 410 , a memory 420 , and a communication circuit 430 . According to one embodiment, node 201 may further include a display 440 to provide a user interface.

The processor 410 may control the overall operation of the node. In various embodiments, the processor 410 may include a single processor core or may include a plurality of processor cores. For example, the processor 410 may include multi-cores such as dual-core, quad-core, and hexa-core. According to embodiments, the processor 410 may further include an internal or external cache memory. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or part of processor 410 is electrically or operatively (eg, memory 420, communication circuitry 430, or display 440) in node 201 (e.g., memory 420). It can be operatively coupled with or connected to. The processor 410 may receive commands from other components, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, command, or signal based on the received message, data, command, or signal. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420 , communication circuitry 430 , or display 440 .

The processor 410 may process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals in the memory 420 to execute or control a program.

The memory 420 may store commands for controlling nodes, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver. The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). can include The nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, and the like. The memory 420 uses a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS). can include more.

According to one embodiment, the memory 420 may store the target applications 211-1, 211-2, and 211-3 of FIG. 1 and the access control application 212. The access control application 212 may perform network access and secure sessions 220-1 and 220-2 with the gateways 203-1 and 203-2, and control flow creation and update functions with the controller 202. there is. To this end, the access control application 212 may include one or more security modules. In one embodiment, the memory 420 may store control flow information 340 , data flow information 350 , and file IO table information 360 of FIG. 3 .

In one embodiment, the target applications 211-1, 211-2, and 211-3 use one or more security modules to create secure sessions 220-1 and 220-2 with the gateways 203-1 and 203-2. can include

The communication circuit 430 establishes a wired or wireless communication connection between the node 201 and an external electronic device (eg, the controller 202 or the gateways 203-1 and 203-2), and performs communication through the established connection. can support According to one embodiment, the communication circuit 430 may be a wireless communication circuit (eg, cellular communication circuit, short-range wireless communication circuit, or global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (eg, a local area network (LAN)). ) communication circuit, or power line communication circuit), and using a corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a cellular network, a long-distance communication such as the Internet, or a computer network It may communicate with an external electronic device through a network. The various types of communication circuits 430 described above may be implemented as a single chip or may be implemented as separate chips.

The display 440 may output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured as an integral touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or below the display 440 .

Referring to FIG. 5, the access control application 212 detects a network access request to the service server 205 from the target application 211 included in the node 201, and the node 201 or the access control application 212 ) can determine whether or not the controller 202 is in a connected state. When the node 201 or the access control application 212 is not connected to the controller 202, the access control application 212 may block transmission of data packets in a kernel or network driver included in an operating system. Through the access control application 212, the node 201 may block access of malicious applications in advance in an application layer among seven layers of open system interconnection (OSI).

In one embodiment, the access control application 212 is not connected to the controller 202, the access control application 212 has not been authenticated by the gateway 203, or the access control application 212 is not connected. If a secure session is not created between the gateways 203, data packets transmitted from the access control application 212 are blocked by the gateway 203, and the access control application 212 may request access to the controller 202. only Depending on the embodiment, even if the access control application 212 is not authenticated by the gateway 203, a data packet transmitted from the access control application 212 may not be blocked by the gateway 203.

According to another embodiment, if the access control application 212 is not installed on the node 201 or if a malicious application bypasses control of the access control application 212, unauthorized data packets may be transmitted from the node 201. there is. In this case, since the gateway 203 present at the boundary of the network blocks data packets that are received as an unauthorized secure session and data packets that do not have a data flow, the data packets transmitted from the node 201 (e.g., TCP session data packets for generation) may not reach the service server 205 . In other words, node 201 can be isolated from service server 205 .

Since the node 201 needs to be authorized by the controller 202 to access the network, the access control application 212 of the node 201 requests the controller 202 to create a control flow so that the node 201 You can try to connect to the controller of

Referring to FIG. 6 , in operation 605 , node 201 may detect a controller connection event. For example, when connection control application 212 is installed and/or executed within node 201, node 201 may detect that a connection to controller 202 is being requested.

At operation 610 , node 201 may request controller connection from controller 202 . For example, the connection control application 212 can transmit identification information of the connection control application 212 to the controller 202 . Additionally, the access control application 212 may include identification information of the node 201 (eg, terminal ID, IP address, MAC address), type, location, environment, identification information of the network to which the node 201 belongs, and/or network Arbitrary identification information generated by the system itself may be further transmitted.

In operation 615 , the controller 202 may identify whether or not the controller access of the target (eg, the access control application 212 and the node 201 ) requesting the controller connection is possible. According to one embodiment, the controller 202 controls whether information received from the node 201 is included in the access policy database 311, the node 201, the network to which the node 201 belongs, and/or access control. Based on at least one of whether the identification information of the application 212 is included in the blacklist database 314 , it is possible to determine whether the controller access of the object requesting the controller access is possible.

If the controller 202 can create a control flow between the node 201 (or the connection control application 212 ) and the controller 202 , the controller 202 can create a control flow. In this case, the controller 202 generates control flow identification information in the form of random numbers, and converts identification information of at least one of the node 201, the network to which the node 201 belongs, or the access control application 212 into a control flow table ( 315) can be stored. Information (e.g., control flow information 340) stored in the control flow table 315 is used for user authentication of the node 201, information update of the node 201, policy check for network access of the node 201, and/or Or it can be used for validation.

In operation 620, the controller 202 may check an access policy corresponding to the information identified in the access policy database 311 (eg, the node 201 and source network information to which the node 201 belongs). The controller 202 may generate whitelist information of accessible applications based on the checked access policy. In other embodiments, the controller 202 may not perform operation 620. For example, if it is not possible to access the controller of the object requesting access, the controller 202 may not perform operation 620 .

At operation 625 , the controller 202 may transmit a response to the controller connection request to the node 201 . In one embodiment, the controller 202 may transmit control flow information 340 including control flow identification information to the node 201 in response to the controller connection request. In one embodiment, the controller 202 may transmit the white list generated through the execution of operation 620 to the connection control application 212 . Depending on the embodiment, if the target for which access to the controller is requested is unavailable or included in the blacklist, the controller 202 may notify controller access failure in response to the controller access request without generating a control flow.

In one embodiment, node 201 may process the resulting value according to the received response. For example, the connection control application 212 may store the received control flow identification information and display a user interface screen (not shown) indicating completion of the controller connection to the user. When the controller connection is completed, the network access request of the node 201 to the service server 205 may be controlled by the controller 202 .

Depending on the embodiment, the controller 202 may determine that the node 201 is inaccessible. For example, when controller access unavailability information is received, the node 201 may output a user interface screen indicating that controller access is unavailable to the user. For example, the user interface screen may include a user interface indicating that access to the node 201 is blocked and guiding isolation release through an administrator (eg, the controller 202).

In one embodiment, the access control application 212 of the node 201, the controller 202, and the gateway 203 may further perform operations 630 to 650. According to embodiments, the access control application 212 of the node 201, the controller 202, and the gateway 203 may perform all or part of operations 630 to 650.

At operation 630, the access control application 212 may perform a check of the application. For example, when the white list is received from the controller 202 , the access control application 212 may check whether applications included in the white list are installed in the node 201 . In the case of applications included in the white list among the applications installed on the node 201, the access control application 212 checks the integrity and stability of the application (eg whether or not the application is forged or tampered with, code signing inspection, fingerprint inspection) according to the validation policy. at least one of them) can be checked.

At operation 635 , the access control application 212 may send the application's test result to the controller 202 .

The controller 202 may check whether the application is valid based on the check result. If the application is valid, the controller 202 checks the gateways 203-1 and 203-2 where the node 201 is located in the access policy for the node 201 to allow the node 201 to access the network, Thereafter, operation 640 may be performed.

In operation 640, the controller 202 determines the originating node 201 to transmit data packets to the service servers 205-1 and 205-2 via the gateways 203-1 and 203-2 without a network connection request procedure. Data flows can be created based on IP, destination IP and port information.

The controller 202 may check a file IO policy when creating a data flow and generate authorized file IO information 354 based on the file IO policy. The data flow information 350 of the data flow may include the generated authorized file IO information 354 . The authorized file IO information 354 may include policy information related to file IO access of an application using a data flow. For example, the authorized file IO information 354 may include information about whether or not to allow an application's file IO access (eg, read or write access). In addition, the authorized file IO information 354 may include information about a file path to which an application is permitted access and/or a file path to which access is not permitted.

At operation 645 , the controller 202 may transmit a response to the transmission of the application check result of the connection control application 212 . For example, the controller 202 may transmit data flow information 350 including authorized file IO information 354 to the access control application 212 . Also, in operation 650 , the controller 202 may transmit data flow information 350 including the authorized file IO information 354 to the gateway 203 .

7 illustrates a signal flow diagram for user authentication according to various embodiments, and FIG. 8 illustrates a user interface screen for controller access according to various embodiments. Operations shown in FIG. 7 may be implemented after the signal flow diagram of FIG. 6 , for example.

In order for the node 201 to receive detailed access rights to the destination network, the access control application 212 of the node 201 may authenticate the user of the node 201 from the controller 202 .

Referring to FIG. 7 , in operation 705 , node 201 may receive an input for user authentication. An input for user authentication may be, for example, a user input for inputting a user ID and password. For another example, the input for user authentication may be a user input (eg, biometric information) for stronger authentication.

For example, referring to FIG. 8 , when the access control application 212 is executed, the node 201 may display a user interface screen 810 for receiving information required for controller access. The user interface screen 810 may include an input window 811 for inputting a user ID and/or an input window 812 for inputting a password. After information is input to the

input windows

811 and 812, the node 201 may detect a controller connection event by receiving an input to the button 813 for user authentication.

At operation 710 , node 201 may request user authentication from controller 202 . For example, the access control application 212 may transmit input information for user authentication to the controller 202 . If the control flow between the node 201 and the controller 202 has already been created, the access control application 212 may transmit input information for user authentication together with control flow identification information.

At operation 715 , controller 202 may authenticate the user based on the information received from node 201 . For example, the controller 202 may use the user ID, password, and/or enhanced authentication information included in the received information and a database included in the memory of the controller 202 (eg, the access policy database 311 of FIG. 2 ). ) or the blacklist database 314), it is possible to determine whether the user is accessible according to the access policy and whether the user is included in the blacklist.

When the user is authenticated, the controller 202 checks the control flow information 340 in the control flow table 315 based on the control flow identification information transmitted by the node 201, and in the checked control flow information 340 User identification information (e.g. user ID) can be added. The added user identification information can be used for the authenticated user's controller access or network access.

In operation 720, the controller 202 may check an access policy corresponding to the information identified in the access policy database 311 (eg, the node 201 and source network information to which the node 201 belongs). The controller 202 may generate white list information of accessible applications based on the checked access policy. In other embodiments, the controller 202 may not perform operation 720. For example, if access to the controller of the target requesting access is not possible, the controller 202 may not perform operation 720 .

At operation 725 , controller 202 may transmit a response to the user authentication request to node 201 . In one embodiment, the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to the user authentication request. In one embodiment, the controller 202 may transmit the white list generated through the execution of operation 720 to the connection control application 212 . Depending on the embodiment, if the object for which access to the controller is requested is unavailable or is included in the blacklist, the controller 202 may notify the controller 202 of inability to access the controller in response to the user authentication request.

In one embodiment, node 201 may process the resulting value for user authentication. For example, the node 201 may output a user interface screen indicating completion of user authentication to the user through a display.

According to another embodiment, the controller 202 may determine that user authentication is impossible. For example, if the user's identification information is included in the blacklist database, the controller 202 may determine that user authentication is impossible. In this case, in operation 725, the controller 202 may transmit information indicating that user authentication is impossible to the node 201, and the node 201 may output a user interface screen indicating that user authentication has failed through the display. can For example, referring to FIG. 8 , node 201 may display user interface screen 820 via access control application 212 . The user interface screen 820 may include a user interface 825 indicating that access to the node 201 is blocked and guiding isolation release through an administrator (eg, the controller 202).

In one embodiment, the access control application 212 of the node 201, the controller 202, and the gateway 203 may further perform operations 730 to 750. Depending on the embodiment, the access control application 212 of the node 201, the controller 202, and the gateway 203 may perform all or part of operations 730 to 750.

At operation 730, the access control application 212 may perform a check of the application. For example, when the white list is received from the controller 202 , the access control application 212 may check whether applications included in the white list are installed in the node 201 . In the case of applications included in the white list among the applications installed on the node 201, the access control application 212 checks the integrity and stability of the application (eg whether or not the application is forged or tampered with, code signing inspection, fingerprint inspection) according to the validation policy. at least one of them) can be checked.

At operation 735 , the access control application 212 may send the application's test result to the controller 202 .

The controller 202 may verify whether the application is valid based on the inspection result. If the application is valid, the controller 202 checks the gateways 203-1 and 203-2 where the node 201 is located in the access policy for the node 201 to allow the node 201 to access the network, Thereafter, operation 740 may be performed.

In operation 740, the controller 202 determines the originating node 201 to transmit data packets to the service servers 205-1 and 205-2 via the gateways 203-1 and 203-2 without a network connection request procedure. Data flows can be created based on IP, destination IP and port information.

At operation 745 , the controller 202 may transmit a response to the transmission of the application check result of the connection control application 212 . For example, the controller 202 may transmit data flow information 350 including authorized file IO information 354 to the access control application 212 . Also, in operation 750 , the controller 202 may transmit data flow information 350 including the authorized file IO information 354 to the gateway 203 .

9 illustrates a signal flow diagram for network access according to various embodiments, and the operations shown in FIG. 9 may be implemented after the signal flow diagram of FIG. 6 or FIG. 7 , for example.

Referring to FIG. 9 , in operation 905 , node 201 may detect a network connection event. For example, node 201 can detect through access control application 212 that a target application is attempting to connect to service server 205 .

In one embodiment, the connection control application 212 may inspect the data flow when a network connection event is detected. For example, the access control application 212 may check whether a data flow corresponding to identification information, destination IP and/or port information of the target application exists. In addition, the access control application 212 may check whether the corresponding data flow is valid even if the data flow exists. For example, the access control application 212 checks the integrity and safety of the access control application 212 and the target application according to the validation policy (eg, forgery or tampering of the application, code signing inspection, fingerprint inspection) And, according to the access policy received from the controller 202, whether or not access to the destination IP and port of the target application installed in the node 201 is possible may be checked.

If there is a valid data flow, the access control application 212 can skip the following operations and transmit the target application's data packet to the gateway 203 over the secure session.

If the data flow exists but is not valid, the connection control application 212 may display a user interface screen indicating that the network connection has failed without transmitting the data packet.

If the data flow does not exist, or if renewal is required because the authentication time of the data flow has expired, or if renewal of the data flow is required for other reasons, the access control application 212 may request the controller 202 to connect to the network. there is. According to an embodiment, the access control application 212 performs integrity and safety checks of the access control application 212 and the target application according to a validation policy before requesting network access, and when the integrity and stability of the application are confirmed, the controller 202 may be requested for network access.

At operation 910 , the access control application 212 may request the controller 202 to connect to the network to the service server 205 . In this case, the access control application 212 may transmit target application identification information and identification information (eg, IP and service port) of the service server 205 to the controller 202 together with identification information of the control flow.

At operation 915 , the controller 202 may check the access policy and file IO policy associated with the target application in response to the request received from the access control application 212 .

The controller 202 may check whether the target application satisfies the access policy of the access policy database 311 . For example, the controller 202 determines whether or not identification information of a target (eg, target application) requesting network access and the requested target (eg, service server 205) are included in the access policy database 311 and network access. It is possible to check whether the requesting target can access the gateway.

If access to the target application is impossible, the controller 202 may transmit information indicating that access is impossible to the node 201 in operation 920 . In this case, the connection control application 212 may output a user interface screen indicating that connection is impossible through the display.

If access to the target application is possible, the controller 202 checks the authorized file IO information 354 related to the target (eg, the target application) requesting access, and establishes the access based on the authorized file IO information 354. You can check whether file IO access of the requested object (e.g. target application) is allowed. Confirmation of whether file IO access is allowed is whether to allow the application's file IO access (eg, access such as read or write), or the file path to which the application is allowed access, and/or It can include checks for file paths that are not allowed to be accessed.

The controller 202 may check whether a data flow accessible to the destination IP and port exists in the data flow table 316 in order to allow the node 201 to access the network.

If there is no valid data flow, the controller 202 will create a data flow allowing an object (eg target application) to access the network between the node 201 and the service servers 205-1 and 205-2. can The controller 202 may generate data flow information 350 based on information such as source IP, destination IP and port information, and authorized file IO information 354 . Here, the authorized file IO information 354 may be generated according to a file IO policy.

In operation 920 , the controller 202 may transmit a response to the network access request of the access control application 212 to the node 201 . For example, the controller 202 may transmit the data flow information 350 generated through the execution of operation 915 to the connection control application 212 . Depending on the embodiment, when the connection requesting target cannot be accessed, the controller 202 may notify the network connection failure in response to the network access request.

Node 201 may process the resulting value according to the received response. For example, the access control application 212 may store the received data flow information 350 and perform a file IO table check if a network connection is available. For another example, when receiving a response indicating that network access is unavailable, the node 201 may drop a data packet of the target application. For another example, upon receiving a response indicating that network access is unavailable, the node 201 may remove the file system IO of the target application (or remove the file system IO handle).

Also, at operation 925 , the controller 202 may transmit data flow information 350 to the gateway 203 .

10 is a flowchart illustrating an operation of a node for monitoring file input/output access according to various embodiments. The following operation flow chart may be implemented by node 201 or connection control application 212 installed on node 201 .

At operation 1005, the connection control application 212 may detect a file input/output access event. For example, the access control application 212 may determine that a file input/output access event has occurred when the target applications 211-1, 211-2, and 211-3 (or their processes) access the file IO system.

In operation 1010, the access control application 212 may check the PID of the process accessing the file IO system, and check whether a data flow assigned to the corresponding PID exists. If the data flow exists, the connection control application 212 can perform operation 1020. If the data flow does not exist, the connection control application 212 may perform operation 1015 .

At operation 1015 , access control application 212 may store file IO information in file IO table 317 . For example, access control application 212 may provide identified file IO information (eg, file location, file name, type of file IO (eg, file read or write), and/or file IO time information) of that process. It can be stored in the file IO table 317. Then, when the corresponding process accesses the network, the access control application 212 searches the details in the file IO table 317 so that the data packet can be inspected.

In operation 1020, the access control application 212 may check the type of file IO accessed by the corresponding process. If the type of file IO is write (or all file access types related to writing), the access control application 212 may perform operation 1025. If the type of file IO is read (or all file access types related to reading), the access control application 212 may perform operation 1030.

At operation 1025, access control application 212 may perform a file decryption process. File decryption processing of the connection control application 212 will be described later with reference to FIG. 12 . The access control application 212 may determine whether or not to decrypt the file for the file input/output application and the corresponding file through the file decryption processing process shown in FIG. 12 .

At operation 1030, access control application 212 may perform a file encryption process. File encryption processing of the access control application 212 will be described later with reference to FIG. 13 . The access control application 212 may determine whether to encrypt a file for an application in which file input/output occurs and a corresponding file through the file encryption processing process shown in FIG. 13 .

11 is a flowchart illustrating an operation of a node for examining a file input/output table according to various embodiments. The following operation flow chart may be implemented by node 201 or connection control application 212 installed on node 201 .

At operation 1105, the connection control application 212 may detect a file input/output table check event. The access control application 212 may detect a file IO table check event when a data flow resulting from a network connection is detected. The access control application 212 may detect when the data flow information 350 is obtained (or updated) as a file IO table check event.

At operation 1110, access control application 212 may perform a file IO table check. The access control application 212 checks the file IO table 317 to determine whether there is a target application 211-1, 211-2, 211-3 (or a process thereof) that is using file IO for the data flow. can be checked. The access control application 212 may search the file IO table information 360 corresponding to the PID 361, which is one of the identification information of the target application included in the data flow. If there is a file IO in use by the target application, the access control application 212 may perform operation 1120. If the file IO in use by the target application does not exist, the access control application 212 may perform operation 1115.

At operation 1115, connection control application 212 may transmit a data packet.

At operation 1120, the access control application 212 may ascertain the type of file IO. If the type of file IO is write (or all file access types related to writing), the access control application 212 may perform operation 1125 . If the type of file IO is read (or all file access types related to reading), the access control application 212 may perform operation 1130. The type of file IO accessed by the corresponding process may simultaneously request one or more reads and/or one or more writes, and if multiple file IOs exist, each step may be performed sequentially and/or in parallel. For example,

operations

1125 and 1130 may be performed sequentially and/or in parallel.

At operation 1125, access control application 212 may perform a file decryption process. File decryption processing of the connection control application 212 will be described later with reference to FIG. 12 . The access control application 212 may determine whether or not to decrypt the file for the file input/output application and the corresponding file through the file decryption processing process shown in FIG. 12 .

At operation 1130, access control application 212 may perform a file encryption process. File encryption processing of the access control application 212 will be described later with reference to FIG. 13 . The access control application 212 may determine whether to encrypt a file for an application in which file input/output occurs and a corresponding file through the file encryption processing process shown in FIG. 13 .

12 shows a signal flow diagram for file decryption processing according to various embodiments.

At operation 1205, the access control application 212 may detect a file decryption processing event. For example, the access control application 212 may start a file decryption process when it is determined that the file input/output type is write in operation 1020 of FIG. 10 or operation 1120 of FIG. 11 . The access control application 212 may determine whether or not to decrypt the file with respect to the file input/output access detected through the file decryption process and the corresponding file, and decrypt the file if decryption is permitted.

At operation 1210, the access control application 212 may verify the data flow based on the application identification information and the network identification information. If writing of a file is allowed according to the authorized file IO information 354 of the data flow and file decryption is unnecessary, the access control application 212 may allow writing of the file. When writing a file is not allowed according to the authorized file IO information 354 of the data flow, the access control application 212 may stop the file access (file writing) of the target application. For example, the access control application 212 uses an application programming interface (API) provided by the operating system to stop file access, including removing or conflicting file handles and initializing file write buffers. And, file access (file writing) may be stopped by hooking, forcibly terminating the corresponding process, or executing a command to stop a series of file access control. In addition, the access control application 212 may change the status of the corresponding file IO in the file IO table 317 to the process of stopping access. In addition, the access control application 212 may block data packets received from the network by changing the state of the corresponding data flow and blocking network access. If there is a data packet in transit, the connection control application 212 may drop the data packet.

If writing a file is allowed according to the authorized file IO information 354 of the data flow, but file decryption is required, the access control application 212 releases the file IO access of the target application to identify the file information (eg, all You can write file information and wait until file writing is complete. When file IO access is released, the access control application 212 may obtain unique information and identification information (eg, file name, partial contents of a file, header information, hash information, or signature information) of a target file.

In operation 1215 the access control application 212 may check the file IO table 317 . The access control application 212 may check whether information capable of decrypting the target file exists in the file IO table 317 based on the obtained unique information and identification information of the target file. If information capable of decrypting the target file exists, the file can be decrypted using the decryption algorithm and decryption key included in the encryption/decryption information 365 of the corresponding file. For example, if decryption fails, the access control application 212 may delete the target file. If information capable of decoding the target file does not exist, the access control application 212 performs unique information and identification information (eg, file name, partial contents of the file, header information, hash information, or signature information) of the target file in operation 1220. A file decryption request including may be transmitted to the controller 202 .

At operation 1220 , access control application 212 may send a file decryption request to controller 202 . The access control application 212 transmits a file decryption request including data flow identification information and file identification information to the controller 202, or sends a file decryption request including application identification information, network identification information, and file identification information to the controller (202).

In operation 1225, the controller 202 identifies a data flow corresponding to the target application based on the received data flow identification information or the received application identification information and the network identification information, and displays the identified data flow and the received file identification information. Based on this, it is possible to check whether a target file exists in the file IO table 317. If the target file exists in the file IO table 317, the controller 202 displays information indicating that file decryption is allowed or file decryption is not allowed according to the status information 367 of the file IO table 317 in operation 1240. Information indicating can be transmitted to the node 201. When the target file does not exist in the file IO table 317, the controller 202 selects a user, a terminal (eg, node 201), and an application (target applications 211-1 and 211 from the file IO policy database 312). -2 or 211-3)), and whether or not to allow the decryption of the corresponding file can be checked through the file IO policy matched to the network. In addition, the controller 202 queries the external linkage system 207 whether or not to allow file decryption (operation 1230) and receives a response (operation 1235), thereby determining whether to allow file decryption based on the received response. there is. The controller 202 may add corresponding information to the file IO table 317 based on the file IO information and the result of checking whether or not to allow file decryption. If file decryption is not permitted as a result of confirmation through the file IO policy and/or the external linkage system 207, the controller 202 may transmit information indicating that file decryption is not permitted to the node 201 in operation 1240. .

At operation 1240 , controller 202 may transmit a response to the file decryption request to node 201 . The response to the file decryption request may include information on whether or not the file is decrypted.

At operation 1245, connection control application 212 may process the received result. If the received result value indicates that file decryption is allowed for the target application and the target file, the access control application 212 displays the file IO table 317 including the corresponding file IO information and status information indicating that file decryption is allowed. Information can be added or updated. When file decryption is allowed for the target application and the target file, the access control application 212 determines the decryption algorithm and decryption information included in the file encryption and decryption information (eg, encryption/decryption information 365) received from the controller 202. You can decrypt files with the key. If the received result value indicates that file decryption for the target application and target file is not allowed, the access control application 212 may delete the target file so that the file cannot be used.

13 shows a signal flow diagram for file encryption processing according to various embodiments.

At operation 1305, the access control application 212 may detect a file encryption processing event. For example, the access control application 212 may start a file encryption process when it is determined that the file input/output type is read in operation 1020 of FIG. 10 or operation 1120 of FIG. 11 . The access control application 212 may determine whether or not to encrypt the file with respect to the application and target file for which file IO access is detected through file encryption processing, and encrypt the target file if encryption is required.

At operation 1310, the access control application 212 may verify the data flow based on the application identification information and the network identification information. If reading of a file is allowed according to the authorized file IO information 354 of the data flow and file encryption is unnecessary, the access control application 212 may permit reading of the file. When reading a file is not permitted according to the data flow authorized file IO information 354, the access control application 212 may stop the file access (reading the file) of the target application. For example, the access control application 212 uses an application programming interface (API) provided by the operating system to stop file access, including removing or conflicting file handles and initializing file read buffers. And, file access (reading a file) may be stopped by hooking, forcibly terminating the corresponding process, or executing a command to stop a series of file access control. In addition, the access control application 212 may change the status of the corresponding file IO in the file IO table 317 to access suspension processing, or add file IO information of the corresponding file IO to the file IO table 317. In addition, the access control application 212 may block data packets received from the network by changing the state of the corresponding data flow and blocking network access. If there is a data packet in transit, the connection control application 212 may drop the data packet.

If reading of the file is allowed according to the file IO information of the data flow, but file encryption is required, the access control application 212 may perform operation 1315.

In operation 1315, the access control application 212 may check whether a corresponding file IO exists in the file IO table 317 based on the application identification information and the file IO information. If the corresponding file IO exists in the file IO table 317 and the target file can be read, the access control application 212 may allow the file read of the target file of the target application. If the corresponding file IO exists in the file IO table 317 and it is impossible to read the target file, the access control application 212 may stop the file access (reading the file) of the target application to the target file. Regarding the interruption process, the above description can be equally applied. If the corresponding file IO does not exist in the file IO table 317, or if the corresponding file IO exists in the file IO table 317 but requires file encryption, the access control application 212 provides unique information and identification of the target file Information (eg, file name, partial contents of a file, header information, hash information, or signature information) may be obtained, and a file encryption request including the obtained file identification information may be transmitted to the controller 202 .

At operation 1320 , access control application 212 may send a file encryption request to controller 202 . The access control application 212 transmits a file encryption request including data flow identification information and file identification information to the controller 202, or a file encryption request including application identification information, network identification information, and file identification information to the controller (202).

In operation 1325, the controller 202 identifies a data flow corresponding to the target application based on the received data flow identification information or the received application identification information and the network identification information, and displays the identified data flow and the received file identification information. Based on this, it is possible to check whether a target file exists in the file IO table 317. If the target file exists in the file IO table 317, the controller 202, in operation 1340, according to the status information 367 of the file IO table 317, information indicating that file encryption is required or that file encryption is unnecessary The indicated information may be transmitted to the node 201 . When the target file does not exist in the file IO table 317, the controller 202 selects a user, a terminal (eg, node 201), and an application (target applications 211-1 and 211 from the file IO policy database 312). -2 or 211-3)), and whether file encryption is required can be confirmed through the file IO policy matched to the network. In addition, the controller 202 queries the external linkage system 207 whether file encryption is required (operation 1330) and receives a response (operation 1335), thereby confirming whether file encryption is required based on the received response. The controller 202 may add corresponding information to the file IO table 317 based on the file IO information and the result of checking whether the file encryption is necessary. When file encryption is unnecessary as a result of confirmation through the file IO policy and/or the external linkage system 207 , the controller 202 may transmit information indicating that file encryption is unnecessary to the node 201 in operation 1340 . If file encryption is required as a result of checking through the file IO policy and/or the external linkage system 207, the controller 202 transmits information necessary for file encryption (eg, file IO table information 360) to the node 201 in operation 1340. ) can be transmitted.

At operation 1340 , controller 202 may send a response to the file encryption request to node 201 . A response to the file encryption request may include information on whether file encryption is required.

At operation 1345, connection control application 212 may process the received result. When the received result value indicates that file encryption is required for the target application and the target file, the access control application 212 displays the file IO table 317 including the corresponding file IO information and state information indicating that file encryption is required. Information can be added or updated. If encryption of the target file is required, the access control application 212 may encrypt the file with an encryption algorithm and an encryption key included in the file encryption and decryption information (eg, encryption/decryption information 365) received from the controller 202. there is. When the received result value indicates that file encryption for the target application and target is unnecessary, the access control application 212 may allow the target application 212 to access (read the file) the target file.

14 shows a flow diagram of operation of node 201 for data packet transmission according to various embodiments. The following operation flow chart may be implemented by node 201 or connection control application 212 installed on node 201 .

Referring to FIG. 14 , at operation 1410, connection control application 212 may detect a data packet transmission event. The access control application 212 may detect a data packet transmission request requested by the target applications 211-1, 211-2, and 211-3 (or processes thereof) as a data packet transmission event.

In operation 1420, the connection control application 212 identifies the data packet to be transmitted and the target applications 211-1, 211-2, and 211-3 when a data packet transmission event is detected after the network access is allowed, and the data flow You can check whether it exists or not. Target applications 211-1, 211-2, 211-3 (or their processes) requesting transmission of data packets are identified, and the identified target applications 211-1, 211-2, 211-3 ( Alternatively, the PID of the process) may be checked, and it may be checked whether a data flow allocated to the corresponding PID exists.

If the data flow exists, connection control application 212 may proceed to operation 1430 . If the data flow does not exist, connection control application 212 may proceed to operation 1435 . At operation 1435, connection control application 212 may drop the data packet if the data flow does not exist.

At operation 1430, the access control application 212 can check the file IO table if there is a data flow.

In operation 1440, the access control application 212 may check whether the file IO or read of the target application (or its process) is permitted in the authorized file IO information 354 of the data flow information 350. If file IO or read is allowed, access control application 212 may proceed to operation 1455 . If file IO and read are not allowed, access control application 212 may proceed to operation 1545 . At operation 1455, connection control application 212 may transmit the data packet to the network.

At operation 1445, the access control application 212 may verify that the file IO does not exist in the file IO table 317. The access control application 212 uses the PID, which is one of the application identification information, to determine whether there is a read-type file IO, or whether a read-type file IO is being accessed, and whether there is a file IO that has been used after access. You can check. The access control application 212 determines whether there is a file IO of a read type performed by the target application (or its process), whether a file IO of a read type is being accessed, and whether there is a file IO that has been used after access. can check whether

If file IO does not exist, connection control application 212 may proceed to operation 1455 . If file IO exists, connection control application 212 may proceed to operation 1450 . At operation 1455, connection control application 212 may transmit the data packet to the network.

At operation 1450, connection control application 212 may examine the data packet if file IO exists. The access control application 212 checks the target file of the file IO, and whether some contents of the target file or unique information (eg, hash, header information, signature information, etc.) for managing the target file are included in the data packet. can be inspected. The access control application 212 may check whether some contents of a file or unique information for managing a file (eg, hash, header information, signature information, etc.) are included in the transmitted data packet.

At operation 1460, connection control application 212 may verify whether the inspection of the data packet was successful. The access control application 212 determines that the inspection of the data packet has failed if the data packet contains some contents of the file or unique information (eg, hash, header information, signature information, etc.) for managing the file. can If the inspection of the data packet is successful, connection control application 212 may proceed to operation 1455 . If the inspection of the data packet fails (that is, if the data packet does not contain some contents of the file or unique information for managing the file (eg hash, header information, signature information, etc.)), the access control application ( 212) may proceed to operation 1450. At operation 1470, connection control application 212 may transmit the data packet to the network.

At operation 1470, the connection control application 212 may drop the data packet and close the network connection.

15 illustrates a signal flow diagram for updating a control flow according to various embodiments.

Referring to FIG. 15 , in operation 1505, the access control application 212 may request a control flow update.

In one embodiment, the access control application 212 may request a control flow update from the controller 202 to maintain the control flow and data flow. In one embodiment, when the file IO table 317 stores or reads a file through a network connection, the access control application 212 may request an update of the control flow to transmit the details of the file IO access being blocked. In addition, the access control application 212 may request a control flow update including identification information of the control flow for each designated period.

At operation 1510, the controller 202 may update (check) the control flow. For example, the controller 202 determines whether the control flow information 340 indicated by the received identification information exists in the control flow table 315, and if the control flow information 340 exists, the data flow information 350 subordinate thereto You can check if exists. When the connection is released by another security system, the update time elapses, or the connection is released due to risk detection, the control flow may not exist.

For example, if the update (check) fails, the controller 202 node 201 may terminate the access control application 212 or block the access control application 212 from accessing the network. For another example, if the update (check) succeeds, the controller 202 may update the expiration time of the control flow and the data flow dependent thereon. In this case, the node 201 may update control flow information 340 and data flow information 350 .

When there is the file IO table information 360 received from the node 201, the controller 202 updates the file IO table 317 existing in the controller 202 and sends the updated file IO table 317 to Based on this, it is used as data for inquiry and audit of actions from users and nodes 201, and when an abnormal action occurs, the control flow can be terminated.

In operation 1515 , the controller 202 may transmit update (check) result information to the connection control application 212 . For example, if the update (check) fails, the controller 202 may transmit unreachable information. For another example, if the update (check) is successful, the controller 202 may transmit the updated control flow information 340 and data flow information 350 subordinate thereto to the access control application 212 . In this case, the node 201 may update control flow information 340 and data flow information 350 .

The access control application 212 may process update (check) result information.

If the control flow update result indicates that access is unavailable, the access control application 212 may terminate the target application or block all network access of the target application. If the control flow update result indicates normal and there is updated data flow information 350 , the connection control application 212 may update the data flow table 316 in the connection control application 212 .

Referring to FIG. 16 , in operation 1605, the node 201 may request the controller 202 to terminate the control flow. For example, the node 201 may request control flow termination when the connection control application 212 is terminated, when the network connection is not used for a specified amount of time, or when a connection termination request is received from another system.

At operation 1610 , controller 202 can remove the control flow corresponding to the identification information received from node 201 . The controller 202 may also remove the data flow dependent on the removed control flow.

In operation 1615, the controller 202 requests the gateway 203 to remove the data flow, and in operation 1620, the gateway 203 may block the connection control application 212 from accessing the network by removing the data flow.

17 illustrates a signal flow diagram for data flow cancellation according to various embodiments.

Referring to FIG. 17 , in operation 1705, the access control application 212 may detect termination of the target application. The access control application 212 may monitor in real time whether a target application running on the node 201 is terminated.

At operation 1710 the access control application 212 may check the data flow table 316 . The access control application 212 may check whether a data flow corresponding to the identification information and PID (or PID of a child) of the terminated target application exists in the data flow table 316 . When the data flow of the target application is confirmed, the access control application 212 may delete the corresponding data flow from the data flow table 316 .

In order to track the termination of multiple executable target applications, the access control application 212 converts the data flow corresponding to the identification information of the terminated application into a data flow table (if the terminated target application does not exist in the running process list). 316) can be deleted.

In operation 1715 the connection control application 212 may request the controller 202 to terminate the data flow. For example, the access control application 212 may transmit the deleted data flow list to the controller 202 in operation 1710 to request termination of the data flow.

At operation 1720 , controller 202 can remove the data flow corresponding to the data flow list from node 201 . In operation 1725, the controller 202 requests the gateway 203 to remove the data flow, and in operation 1730, the gateway 203 removes the data flow, thereby providing a service corresponding to the removed data flow of the connection control application 212. Access to the server 205 may be blocked.

The above description is only an illustrative example of the technical idea disclosed in this document, and those skilled in the art to which the embodiments disclosed in this document belong will be within the scope of the essential characteristics of the embodiments disclosed in this document. Many modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are not intended to limit the technical idea disclosed in this document, but to explain, and the scope of the technical idea disclosed in this document is not limited by these embodiments. The scope of protection of technical ideas disclosed in this document should be interpreted according to the scope of the following claims, and all technical ideas within the equivalent scope should be construed as being included in the scope of rights of this document.

Claims

In node,

communication circuit;

a processor in operative connection with the communication circuitry; and

a memory operably coupled with the processor, wherein the memory stores a connection control application and a target application, wherein the memory, when executed by the processor, causes the node to:

When a file IO access event of the target application is detected, through the access control application, it is checked whether a data flow allocated to the target application exists,

If there is a data flow allocated to the target application, check the type of file IO of the target application through the access control application;

If the type of the identified file IO is write, file decryption is performed through the access control application;

When the type of the confirmed file IO is read, storing commands for performing file encryption processing through the access control application.
The method of claim 1,

The commands are such that the node,

When a data flow allocated to the target application does not exist, store file information related to the file IO of the target application in a file IO table through the access control application.
The method of claim 1,

The commands are such that the node,

When a file IO table check event of the target application is detected, through the access control application, it is checked whether there is a file IO being used by the target application in the file IO table;

If the file IO in use does not exist, transmit a data packet to a service server through the access control application,

If the file IO in use exists, check the type of the file IO in use through the access control application;

If the confirmed type of file IO in use is write, the file decryption process is performed through the access control application;

and performing the file encryption process through the access control application when the confirmed type of the file IO in use is read.
The method of claim 1,

The commands are such that the node,

When a file decryption process event is detected, the file decryption process is started through the access control application;

When the authorized file IO information of the data flow indicates that file writing is permitted and file decryption is unnecessary, allowing the target application to write the file through the access control application,

When the authorized file IO information indicates that file writing is not allowed, blocking file writing of the target application through the access control application;

When the authorized file IO information indicates that file writing is allowed and file decryption is required, the node that determines whether file information capable of decrypting a target file exists in the file IO table through the access control application.
The method of claim 4,

The commands are such that the node,

If the file information capable of decrypting the target file exists in the file IO table, the target file is decrypted using the file information through the access control application;

If the file information capable of decrypting the target file does not exist in the file IO table, transmit a file decryption request including file identification information of the target file to an external server through the access control application.
The method of claim 5,

The commands are such that the node,

Receiving a response to the file decryption request from the external server;

If the response indicates that file decryption is not allowed for the target application and the target file, delete the target file;

and if the response indicates that file decryption for the target application and the target file is allowed, cause the target file to be decrypted using a decryption algorithm and a decryption key included in the response.
The method of claim 1,

The commands are such that the node,

When a file encryption process event is detected, the file encryption process is started through the access control application;

When the authorized file IO information of the data flow indicates that file reading is permitted and file encryption is unnecessary, allowing the target application to read the file through the access control application,

When the authorized file IO information indicates that reading of the file is not allowed, blocking the target application from reading the file through the access control application;

If the authorized file IO information indicates that file reading is allowed and file encryption is required, the node, through the access control application, checks whether the file IO exists in the file IO table.
The method of claim 7,

The commands are such that the node,

If the file IO exists and file reading of the target file is permitted, allowing the target application to read the file through the access control application;

Blocking file reading of the target application through the access control application when the file IO exists and file reading of the target file is not permitted;

If the file IO does not exist or if the file IO exists but file encryption for the target file is required, a file encryption request including file identification information of the target file is transmitted to an external server through the access control application Node.
The method of claim 8,

The commands are such that the node,

Receiving a response to the file encryption request from the external server;

When the response indicates that file encryption for the target application and the target file is unnecessary, allowing the target application to read the file for the target file;

and if the response indicates that file encryption is required for the target application and the target file, cause the target file to be encrypted using an encryption algorithm and encryption key included in the response.
in the server,

communication circuit;

a processor in operative connection with the communication circuitry; and

a memory operably coupled to the processor and storing a database, the memory, when executed by the processor, causes the server to:

Receiving a file decryption request from an access control application of a node, the file decryption request including file identification information of a file input output (IO) target file,

Checking whether file IO table information for the target file exists in the database using the file identification information;

If the file IO table information exists, check whether or not the file is decrypted for the target file based on the file IO table information;

A server that stores instructions for transmitting a response indicating whether or not the file is decrypted for the target file to the access control application of the node.
The method of claim 10,

The commands are such that the server,

Check whether file decryption for the target file is allowed according to the file IO table information;

Transmitting information on whether or not to allow file decryption of the target file to the access control application of the node;

and transmit a decryption algorithm and a decryption key for decrypting the target file to the access control application of the node when decryption of the file is permitted.
The method of claim 10,

The commands are such that the server,

If the file IO table information does not exist, check whether file decryption of the target file is allowed through a file IO policy and an external server;

sending information on whether or not the file decryption is allowed to the access control application of the node;

and transmit a decryption algorithm and a decryption key for decrypting the target file to the access control application of the node when decryption of the file is allowed.
in the server,

communication circuit;

a processor in operative connection with the communication circuitry; and

a memory operably coupled to the processor and storing a database, the memory, when executed by the processor, causes the server to:

Receive a file encryption request from an access control application of a node, the file encryption request includes file identification information of a file input output (IO) target file,

Checking whether file IO table information for the target file exists in the database using the file identification information;

If the file IO table information exists, check whether the target file is encrypted based on the file IO table information;

A server that stores instructions for transmitting a response indicating whether the file is encrypted for the target file to the access control application of the node.
The method of claim 13,

The commands are such that the server,

Check whether file encryption is required for the target file according to the file IO table information;

Transmitting information on whether file encryption is required for the target file to the access control application of the node;

and to transmit an encryption algorithm and an encryption key for encrypting the target file to the access control application of the node when the file encryption is required.
The method of claim 13,

The commands are such that the server,

If the file IO table information does not exist, check whether file encryption for the target file is required through a file IO policy and an external server;

sending information on whether the file encryption is required to the access control application of the node;

and send an encryption algorithm and an encryption key for encrypting the target file to the access control application of the node when the file encryption is permitted.
In the operating method of the node,

When a file IO access event of a target application of the node is detected, checking whether a data flow allocated to the target application exists through an access control application of the node;

If there is a data flow allocated to the target application, checking the type of file IO of the target application through the access control application;

If the type of the identified file IO is write, performing a file decryption process through the access control application, and

and performing file encryption processing through the access control application when the type of the identified file IO is read.
In the method of operating the server,

Receiving a file decryption request from an access control application of a node, the file decryption request including file identification information of a file input output (IO) target file,

Checking whether file IO table information for the target file exists in the database of the server using the file identification information;

If the file IO table information exists, checking whether or not a file is decrypted for the target file based on the file IO table information; and

and transmitting a response indicating whether or not the file is decrypted for the target file to the access control application of the node.
In the method of operating the server,

Receiving a file encryption request from an access control application of a node, the file encryption request including file identification information of a file IO (input output) target file,

Checking whether file IO table information for the target file exists in the database of the server using the file identification information;

If the file IO table information exists, checking whether the target file is encrypted based on the file IO table information, and

and transmitting a response indicating whether the target file is encrypted to the access control application of the node.