KR100976602B1 - Method and Apparatus for file transference security - Google Patents

Abstract

The present invention relates to a file transfer security method and apparatus performed in an operating system kernel layer, the method comprising: receiving a file transfer request from at least one application; And filtering whether or not the file information to be transmitted is compared with the pre-stored filtering information, and filtering whether or not to transmit the file information. It is possible to set by grade.

Security, file transfer, kernel layer

Description

File transfer security method and device {Method and Apparatus for file transference security}

The present invention relates to a file security method and apparatus, and more particularly, to a file transfer security method and apparatus performed in the operating system kernel layer.

With the advent of new protocols and applications and the introduction of services, the Internet and network environments are becoming more extensive and diversified. The rapid development and expansion of the network environment around the world has exposed various security threats both internally and externally, and breaches and attacks on information systems are becoming increasingly complex. Infringement of such a system causes problems by accessing the system for illegal purposes, attempting to manipulate, change, leak, and down the information.

Targets for information systems are expanding from specific information systems to a number of unspecified systems, and are being increasingly intelligent as a wide range of attacks such as stopping entire network services through network neutralization. In addition, in the Internet environment, anyone around the world can share the open data, and many electronic bulletin boards and online information exchange methods are provided so that they cannot be censored one by one, and new intrusion methods for hacking attacks can be easily spread. As a result, similar types of intruders are being produced.

Various security researches are being conducted to prevent attacks and intrusions on these increasingly intelligent networks, and at the same time, many security devices have been developed. Among these security solutions, the most basic security systems are used as firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS). These security systems monitor incoming and outgoing traffic in accordance with established security policies, block inappropriate access or traffic, and detect and analyze harmful traffic such as intrusion attempts or unauthorized actions through traffic monitoring and attack type analysis. Notify the administrator.

Security technology to prevent attack and invasion from the outside is also important, but in-house and public institutions where importance is placed on internal security need to develop security technology to prevent files from being transmitted through the network.

SUMMARY OF THE INVENTION The present invention is derived from such a background, and an object of the present invention is to provide a file transfer security method and apparatus that can more specifically set a security standard for file transfer.

The technical problem is a file transfer security method performed in a kernel region in which a protocol driver and a network interface device are hierarchically included in the kernel region, the method comprising: receiving a file transfer request from at least one application; And controlling the transmission by comparing the file data to be transmitted with pre-stored filtering information. The method is achieved by a file transfer security method comprising: performing at a higher layer of the protocol driver.

According to the present invention, it is possible to set various criteria for file transmission security by level by filtering the transmission file in advance in the transmission driver upper layer by the filtering information which the administrator can freely set through the security management server. . That is, it becomes possible to specifically set the filtering criteria of the file transfer.

The foregoing and further aspects of the present invention will become more apparent through preferred embodiments described with reference to the accompanying drawings. Hereinafter will be described in detail to enable those skilled in the art to easily understand and reproduce through this embodiment of the present invention.

1 is an exemplary diagram of a system to which a file transfer security device according to an exemplary embodiment of the present invention is applied.

The file transmission security apparatus according to the present invention may be implemented in an application such as an email, a messenger, or an FTP, that is, a terminal device capable of transmitting a file through an application program.

The security management server 100 is connected to a terminal device in which a plurality of file transfer security devices are implemented. In this embodiment, the connection may be via TCP or other trusted SOCKET channels. The security management server 100 includes a management server DB 105 that stores filtering information about a plurality of terminal devices. The security management server 100 may receive a connection request from the driver agent process 110 or the security management server 100 may request a connection to the driver agent process 110.

In addition, the security management server 100 creates and manages control setting information for the file filter driver 122 of the file transfer security device according to the present invention to control the transfer of file data. In the present embodiment, the management server DB 105 included in the security management server 100 stores the setting information input from the administrator through the security management server 100 as filtering information. In addition, the security management server 100 may receive and edit the change of the setting information from the administrator.

The terminal device on which the file transfer security device according to the present invention is implemented includes an application process area and a kernel area. In more detail, the application process area includes a driver agent process 110 for obtaining filtering information of a corresponding terminal from the security management server 100, a file transfer process 112 for transmitting data to the outside, and a file stored through various applications. File reading process 114 that reads the data.

The driver agent process 110 is connected to the security management server 100 to obtain filtering information about the corresponding terminal device. The driver agent process 110 may obtain subset information of the corresponding terminal device among filtering information about the plurality of terminal devices stored in the management server DB 105 described above. In addition, the driver agent process 110 may establish a network communication channel with the security management server 100, and may further receive data necessary for control continuously or periodically through this channel. When the driver agent process 110 receives data necessary for control from the security management server 100, the driver agent process 110 calls the file filter driver and delivers the received data. In other words, the driver agent process 110 relays the security management server 100 and the driver in the kernel region.

In one embodiment, the filtering information includes at least control target process information, transmission / reception IP address, reception port information, and packet filtering rule information. A more detailed description of the filtering information will be described later. The file transfer process 112 may be implemented with an application such as iExplore, ALFTP, for example. In addition, the file reading process 114 may be implemented as an application program that can read a file for file transfer, such as a Windows file explorer or a messenger.

The kernel region includes a network filter region 120 and a file system region 130. The network filter area 120 checks whether or not the file is allowed to be transmitted through a file transfer process 112 for the file transfer requested through any application. Files allowed for transfer are transferred over the network, and other files are dropped to block the transfer. The network filter area 120 includes a file filter driver 122, a protocol driver 124, and a network interface device (NIC). When the terminal device attempts to transfer data through the file transfer process 112 in the application process area, the file filter driver 122 of the upper layer of the network interface device (NIC) 126 driver first determines whether the file is included in the data. Call the interface with the file system area 130 to determine. In addition, it may be determined whether a file is included in data to be transmitted in cooperation with the file system area 130 to be described later.

Then, the filtering information of the corresponding terminal obtained from the security management server 100 through the driver agent process 110 is identified and compared with the file reading process 114 and the transmission data. As a result of the comparison, the file that is allowed to be transmitted may be transmitted over the network via the protocol driver 124 and the NIC 126. On the other hand, if the file is not allowed to be transmitted, the file filter driver 122 may block the file transfer without dropping the file. Here, the protocol driver 124 performs a procedure for data transmission of a specific protocol packet (TCP, UDOm HTTP) or transmission data stream. Networks are interpreted to cover communication network configurations such as Ethernet, Internet, Wireless LAN, WAN, and VPN.

The file system area 130 includes a file system driver 134, a system driver 134, and a disk driver 136. The file system driver 134 generates a hash key when any file reading process 114 at the terminal accesses the file system. The file system driver 134 in the kernel region hashes the files read through the file reading process 114 in the application process region to generate a hash key list of the read files.

In this embodiment, the file system driver 134 generates a hash key with the first 256 bytes of data to be passed. The hash key contains low level file handles and hash key value information. In addition, an interface with the network filter area 120 is provided to process a request for checking whether the file data is transmitted from the network filter area 120. The generated hash key list is deleted when the terminal device is powered off and is set up at boot time.

Accordingly, the file filter driver 122 generates a hash key by hashing data having a transfer request, and whether the generated hash key is a general data transfer or not depending on whether the generated hash key exists in the hash key list of the file system driver 134. You can determine if it is a transmission.

Hereinafter, the configuration of the file transfer security apparatus according to the present invention will be described in more detail with reference to FIG. 2. 2 is a block diagram showing the configuration of a file transfer security device according to an embodiment of the present invention.

As shown, the file transmission security apparatus according to the present invention includes a filtering information storage unit 200, a file filter driver 122, and a file transmission unit 210 for storing filtering information.

The filtering information storage unit 200 stores the unique filtering information of the corresponding terminal obtained from the security management server 100. In the present embodiment, the filtering information includes at least one of control process information, transmission / reception IP address, reception port, and packet filtering rule information. The controlled process information is, for example, file transfer process information such as messenger and explorer webmail. Accordingly, the file transmission through the in-house security messenger may be allowed and the file transmission through the messenger used and distributed to the public may be blocked. This can be controlled by matching the process name requesting file transfer with the process name included in the pre-stored filtering information.

Transmitting / receiving IP port address and receiving port information can be used as filtering information. By setting the transmission / reception IP port address, file transmission is possible only to a terminal of an arbitrary first IP address, and file transmission is allowed only from a terminal of another arbitrary second IP address. It is also possible to set the transmission of the file received from the terminal of any third IP address to be blocked. In other words, the upper layer protocols (TCP, UDP, HTTP, and other application layer protocols) of the IP layer protocol check for the sending (SRC) IP address, the receiving (DST) IP address, and the receiving (STC) port to allow or block the file transfer. Can be.

In addition, by using the packet filtering rule information, the application protocol may define itself and control whether to allow or block file transfer according to an additional pattern for analyzing data included in the packet. For example, by pattern matching specific string data of the HTTP protocol, a file containing a specific string may be implemented to block the transmission. This allows you to filter the file transfers for specific content by setting key strings, picture file tags, etc. to capture the overall content of the file.

In addition, the filtering information may be set differently according to a security level set for each department and position in the company, for example. That is, the administrator may change the filtering information for the individual terminals by using the security management server 100, or may change the filtering information for the plurality of terminals set in a group.

The file filter driver 122 is installed in an OS kernel filter driver layer of the terminal. The file filter driver 122 is installed by the security management server 100 through an authenticated web service path or manually by a terminal user. In more detail, the file filter driver 122 is installed in an upper layer of a driver that is finally connected to a network interface device (NIC). The file transfer unit 210 may actually be included in one area with the above-described file filter driver 122 and includes a protocol driver 124 and a NIC driver 126.

In the present embodiment, when a file transfer request is received from at least one application, the file filter driver 122 determines whether to allow file transfer based on the filtering information stored in the filtering information storage unit 200. In the case of a file that is allowed to be transmitted, the file is transmitted through the file transmitter 210. On the other hand, if the file is blocked, the file is not transferred. In addition, the file filter driver 122 may be configured to report a file transfer permission, a current status of a transfer drop, a history, and the like to the corresponding application or another application, and notify the user of the file application.

According to a characteristic aspect of the present invention, the file transfer security apparatus according to the present invention further includes a file transfer detector 220 for detecting whether a file transfer request is received from the at least one application to the file filter driver 122. The file transfer detection unit 220 generates a hash key list by hashing each file called by an application, and when a file transfer request is received from the application, the file transfer detector 220 determines whether a hash key of the file exists in the hash key list. Detects whether a transfer request is received.

When the application attempts to transfer a file, the file transfer detector 220 determines whether a file is included in the transmission data stream or a specific protocol packet (TCP, UDP, HTTP, etc.) data. The interface provided by the file system driver 134 is called to determine whether a file is included in the packet data.

Hereinafter, an operation of determining whether a file is included in specific protocol packet data through hashing will be described by way of example. For example, suppose that the packet data to be transmitted is composed of packet header 100 bytes, packet data 1,828 (128 + 100 + 1,600) bytes, application program header 128 bytes, and application program definition data.

The file filter driver 122 performing the file transfer function cannot distinguish data from headers defined by the application program in the packet data. Therefore, a hash key is generated by repeatedly hashing 1572 (1828-256) times in increments of one byte in 256 byte units at the start of packet data. In addition, it is determined whether the generated hash key exists in the hash key list generated by the file system driver 134. The file filter driver 122 determines that the file is included in the data when the generated hash key exists in the previously stored hash key list.

According to an aspect of the present invention, the file transfer security device further includes a filtering information update unit 230 for obtaining filtering information from the security management server 100 and updating the filtering information stored in the filtering information storage unit 200. The filtering information updater 230 may communicate with the security management server 100 through a reliable communication path. The filtering information unique to the terminal may be obtained from the security management server 100 to update the information stored in the filtering information storage unit 200. In the present embodiment, it may be implemented to continuously communicate with the security management server 100, or may be implemented to request updated information to the security management server 100 periodically. Alternatively, the security management server 100 may be implemented to receive updated information periodically.

Accordingly, the filtering information can be freely set by the administrator through the security management server 100. In addition, it is possible to set various criteria for each class so that it is possible to specifically set filtering criteria for file transfer.

Hereinafter, a file transfer security method according to the present invention will be described in detail with reference to FIG. 3. 3 is a flowchart of a file transfer security method according to an embodiment of the present invention.

First, referring to the file transfer security method performed in the network system filter driver area, if there is a data transfer request from the application layer, that is, the application (S300), it is detected whether the file transfer is included in the data transfer request or whether the file transfer is performed (S310).

At this time, according to the file transfer security method performed in the file system driver area, when a random file read process file system is accessed (S360), a hash key of the file is generated (S370). A hash key list of the read files may be generated by hashing each of the plurality of files read through the file reading process in the application process area (S380). In this embodiment, a hash key is generated from the first 256 bytes of data. The hash key contains low level file handles and hash key value information. In operation S400, it is determined whether a generated hash key exists in a hash key list generated in the file system driver region.

If the hash key generated as a result of the comparison in step S310 exists in the hash key list, it is recognized as a file transfer. If the comparison result is a file transfer packet (S320), it is compared with previously stored filtering information (S330).

4 is a flowchart of a process of determining whether a hash key generated according to an embodiment of the present invention exists in a hash key list. As shown in the figure, the network system filter driver region S310 queries the file system driver region S400 for the existence of the hash key. Then, the filter driver region sets variables necessary for detecting whether the hash key generated in the filter driver region exists in the hash key list (S410). In detail, as shown in FIG. 4, PacketData sets input data and a size (DataSize) of input data. It also initializes the Read Pointer (0) and sets the ReadLen to 256 to generate a hash key value with the first 256 bytes.

The hash key is generated from 0 to 256 bytes of data (PacketData) to generate the hash key (S420). After that, it is possible to check whether all data has been read by comparing ReadPointer with DataSize (S430). On the other hand, when the ReadPointer is smaller than the DataSize compared to the ReadPointer, the HashKey is regenerated by increasing the ReadPointer by 1 (S435). That is, while reading all data, HashKey is generated repeatedly by increasing ReadPointer by 1.

If the hash key exists in the hash key list generated in step S380 after reading all the data (S440), a value to be provided as a result value is set to 1 (S450). On the other hand, if the hash key does not exist, the value value is 0 (S455). Then, the result value, that is, the value value is returned as a result value for checking whether the file is transmitted (S310) (S460).

The step S310 of checking whether the file is transmitted may be confirmed by receiving a hash key comparison result, that is, a value value, whether the data to be transmitted includes a file transfer request. In the case of the file transfer packet according to the reception result (S320), the file information is compared with the filtering information (S330). In this case, the filtering information is a value already received and stored from the security management server and includes at least one of control process information, transmission / reception IP address, reception port, and packet filtering rule information. That is, it may be determined whether to allow file transmission based on filtering information for file transmission already set in the corresponding terminal.

If the file is allowed to be transmitted (S340), the file is transmitted to the outside via the network (S350). On the other hand, in the case of a file for which file transmission is not allowed as a result of the comparison with filtering information, the transmission is blocked (S345).

On the other hand, the above-described file transfer security method can be created by a computer program. The program may also be embodied by being stored in a computer readable media and being read and executed by a computer. The storage medium includes a magnetic recording medium, an optical recording medium and the like.

So far I looked at the preferred embodiments of the present invention. Those skilled in the art will appreciate that the present invention can be implemented in a modified form without departing from the essential features of the present invention. Therefore, the disclosed embodiments should be considered in descriptive sense only and not for purposes of limitation. The scope of the present invention is shown in the claims, and all differences within the scope equivalent thereto should be construed as being included in the present invention.

1 is an exemplary diagram of a system to which a file transfer security device according to an embodiment of the present invention is applied;

2 is a block diagram showing the configuration of a file transfer security device according to an embodiment of the present invention;

3 is a flowchart of a file transfer security method according to an embodiment of the present invention;

4 is a flowchart of a process of determining whether a hash key generated according to an embodiment of the present invention exists in a hash key list.

Claims (10)

A file transfer security method performed in a file filter driver, which is a higher layer of a protocol driver and a network interface device, included in a kernel region, Receiving a file transfer request from at least one application; Allowing or blocking file transfer by comparing filtering information for determining whether to transfer a file previously stored by a driver agent process of an application process area with file information to be transmitted according to the file transfer request; And If it is determined that the file transfer is allowed, transmitting the file in accordance with the file transfer request; file transfer security method comprising a. The method of claim 1, wherein prior to receiving the request, If a data transfer request is received from at least one application, detecting whether the data is a file transfer type packet and recognizing the file transfer request; wherein the step of recognizing is performed by a file filter driver. File transfer security method. The method of claim 2, wherein the recognizing step, Obtaining file information called in an application of an application layer; Generating a hash key list by hashing the called file according to the obtained information; And Receiving a transfer request of the called file from the application, hashing the transfer requested file to generate a hash key, and recognizing the generated file as a file transfer request if the generated hash key exists in the hash key list. File transfer security method, characterized in that. The method of claim 2, The driver agent process further comprises the step of updating the pre-stored filtering information to determine whether to transfer the file, using the filtering information obtained from the security management server. The method of claim 2, The filtering information is a file transfer security method, characterized in that is set for each security level for the terminal on which the file transfer security method is performed. A filtering information storage unit for storing filtering information for determining whether to transmit a file; A file filter driver that determines whether to allow file transfer according to the transfer request by comparing file information according to the transfer request with the filtering information when a file transfer request is received from at least one application; And And a file transmitter for transmitting a file allowed to be transmitted by the filter driver to a network. The method of claim 6, And a file transfer detector for detecting whether a file transfer request is received from the at least one application. The method of claim 7, wherein the file transfer detection unit, A hash key list is generated by hashing each file called by the application, and when a file transfer request is received from the application, it is determined whether the file transfer request is made by determining whether a hash key of the file exists in the hash key list. File transfer security device, characterized in that. The method of claim 6, And a filtering information updating unit for obtaining filtering information from a security management server and updating the filtering information stored in the filtering information storage unit. The method of claim 6, And the filtering information includes at least one of a control target process, a transmission / reception IP address, a reception port, and a packet filtering rule.

Images