KR101370511B1 - Method and apparatus for inspecting packet by using meta-data classification - Google Patents

Abstract

The present invention relates to a packet inspection technique using metadata classification suitable for efficiently inspecting the contents of packet communication data by using an uninterested classification table and an interesting classification table in a circuit sharing environment such as an open network communication environment. In the present invention, in an open network communication environment in which a single circuit is shared by multiple users, the present invention proceeds from a lower layer to a higher layer based on an OSI layer model, and sequentially compares communication-related information to application level information. If the result is classified as a packet of uninterested object, the additional inspection process can be omitted to prevent unnecessary packet information processing in the shared environment more efficiently, so that DPI can be efficiently applied and prevent the unnecessary information from being transmitted. Maximum information leakage of the individual corresponding to the user Digestion can be realized, preventing unnecessary DPI processing, reducing the load on security and surveillance systems, providing efficient retrieval methods, and minimizing the leakage of unnecessary information to ensure a large number of individual rights.

Description

Packet inspection method using metadata classification and its device {METHOD AND APPARATUS FOR INSPECTING PACKET BY USING META-DATA CLASSIFICATION}

The present invention relates to a technique for inspecting a communication packet, metadata classification suitable for efficiently inspecting the contents of packet communication data using the uninterested classification table and the interest classification table in a circuit-sharing environment such as an open network communication environment. It relates to a packet inspection method and apparatus therefor.

Recently, crimes using electronic communication have been increasing rapidly, and in the crime techniques used, there is a tendency to apply new methods for bypassing or avoiding security techniques applied to communication.

In addition, the development of interactive solutions such as chat rooms, blogs, games that provide interactive experiences, and public webpages in recent communication environments have made it easier to conduct such crimes. In reality, the detection of these crimes becomes more difficult.

In other words, the rapidly growing number of Internet users, the thousands of protocols they use, communication-related applications, the various ways of accessing them, and the vast amounts of communication information transmitted through them can be a boon to security-related companies and law enforcement agencies that want to prevent criminal activity. It is a big problem.

In addition, the recent wireless communication environment has been developed with the aim of providing a smooth service to individual users, providing a speed that is close to the existing wired cable network in terms of transmission speed, and homogeneous and heterogeneous in terms of network integration. Support for integration allows users to access services over a variety of networks anytime, anywhere. Accordingly, data usage using personal portable wireless communication devices is increasing exponentially every year.

In addition, in the wireless communication access environment, service providers are in a hurry to spread an open wireless access environment such as open Wi-Fi (WiFi) in order to guarantee free mobility of users, guarantee accessibility, and reduce the burden on the wireless communication network.

This open wireless access environment has many advantages in terms of accessibility of users because many users share one line by breaking the existing concept of one user per line in network side, but there are many problems in terms of network security. It is true that there is.

In terms of the existing network security, using one line is generally one user, and it is easy to match the contents of the communication with the user's identity even in the application of security and surveillance. There was this. In this case, a DPI (Deep Packet Inspection) technique is generally used as a method used to check the contents of the user's communication, which is a method of inspecting the contents of the user's communication as well as the head of the communication packet. The disadvantage is that the system load is complicated and the system load for real-time processing is high. That is, the application of the existing DPI method can examine the communication information in detail through a specific pattern-matching technique, but it is limited to searching for specific information of the communication content itself, and the method of analyzing the content is complicated. While processing is time consuming and systemic, it is costly to implement, while the results are limited and provide an overall understanding of the communication itself, taking into account the contextual relationship between numerous applications, physical locations, communication devices and electronic identities in real time. One has a limit.

In addition, there are aspects that make it difficult to apply such a DPI technique as it evolves into various forms in the use of an application used by an individual. For example, web mail can be used as a place where multiple users can share information and passwords by sharing accounts and passwords. In the case of the Instant Messenger program, a user's computer Indirect sharing is possible by sending a file in to another user, directly sharing to multiple users, or by providing a link (access point), sending instant messengers or having a conversation through computer games, and social networks. It is now possible to send and receive user communication in the form of a messenger. In addition, in the communication itself, the majority of Internet communications are based on IP protocols, but the use of individual local protocols is increasing, and the number of newly developed protocols is increasing with the development of the Internet environment, and in most cases, OSI It is a trend to break away from the hierarchical model and construct its own form.

On the other hand, in terms of user identity, it is difficult to verify user identity due to the increasing use of a method in which multiple users share one line, breaking away from the existing concept of one line and one user, which is a big problem in terms of security and surveillance. have. In addition, most communication users do not use a variety of communication access methods using only one same account type, but communicate using various accounts and login IDs according to the communication access method. In many cases, the contents provided are inconsistent, which is a problem when applying security or judicial activities.

Also in the connection method, it is common to use various forms such as, for example, a desktop, a notebook, a wireless communication device, and a mobile communication device.

Therefore, the development of such communication environment is pushing the processing limits of the techniques applied for the security and monitoring of the existing packet communication in terms of security and monitoring, and the rapid development of new technologies and environments makes the existing methods more inefficient. As a result, the increase in the inspection and transmission of unnecessary data is encroaching on the communication band, and the inspection of the communication contents for the majority of the shared users who are not subject to security and surveillance may lead to the violation of personal rights.

The technical problem to be achieved in the present invention, as described above, in applying the DPI technique for security and monitoring in an environment where a plurality of users using a packet communication service through a circuit sharing environment, such as one open network communication environment, communication By using metadata, which is information related to communication in granular units, the application targets are pre-classified, and the contextual information as well as the communication itself is simultaneously reviewed to use the overall situation of the communication situation and activity, and the causal relationship and association between each communication. It is possible to apply security techniques, to apply more powerful search and extraction of communication data of interest, and to define communication forms for automated search and suspicious communication. At the same time, it provides a more efficient method of detecting suspicious objects. By doing so, the complexity of the DPI scheme can be reduced.

In addition, the present invention can save system resources by reducing the system complexity in security and surveillance services by omitting the application of complex security techniques to uninterested objects, and eliminates communication bandwidth erosion by eliminating unnecessary inspection and transmission of data. By preventing and checking the contents of the communication of the majority of shared users who are not subject to security and surveillance, the protection of their contents is ensured to guarantee the right to privacy.

According to an aspect of the present invention, a process of performing DPI for extracting metadata related to a communication packet of a communication entity in an open network communication environment, and using the previously stored metadata classification table to compare the extracted similarities Checking whether metadata is uninterested or interested information, when the uninterested information is used, proceeding to a processing process for a next communication entity, and when communicating the interested information, the communication entity It provides a packet inspection method using a metadata classification including the process of executing a user interest policy defined for the.

According to another aspect of the present invention, a DPI extraction block for extracting metadata related to a communication packet of a communication entity in an open network communication environment based on a search control command, a plurality of preset information of interest and a plurality of preset information An information storage block for storing a metadata classification table of uninterested pieces of information and a similarity comparison using the metadata classification table stored in the information storage block to determine whether the extracted metadata is information of uninterested interest or interest. The search based on the metadata-based classification block that determines whether the information is information and generates a corresponding determination signal, and when the uninterested determination signal corresponding to the uninterested target information is generated, proceeds to a processing process for the next communication entity. Generate a control command and generate an interest determination signal corresponding to the interest information. And a control block for generating the search control command for executing a predefined user interest policy for the communication entity.

The DPI method using metadata classification according to the present invention proceeds from a lower layer to a higher layer based on an OSI layer model in an open network communication environment in which one circuit is shared by a plurality of users, and application level information from communication related information. Compared to the sequential order, if the result is classified as a packet of uninterested object, the additional inspection process can be omitted, and the DPI application can be efficiently performed by preventing unnecessary packet information processing in the shared environment more efficiently. By preventing the transmission of information, it is possible to minimize the leakage of information of the individual corresponding to the bona fide user.

In addition, the present invention reduces the load of the security and surveillance system by preventing unnecessary DPI processing, provides an efficient search method, and has the advantage of minimizing the leakage of unnecessary information to ensure a number of individual rights.

1 is a schematic diagram of an open wireless communication system suitable for applying the packet inspection apparatus of the present invention;
2 is a block diagram of a packet inspection apparatus using metadata classification according to the present invention;
3 is a flow chart illustrating the main process of inspecting a packet using metadata classification in accordance with the present invention.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

In the following description of the present invention, detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. In addition, terms to be described below are terms defined in consideration of functions in the present invention, which may be changed according to intention or custom of a user, an operator, or the like. Therefore, the definition should be based on the technical idea described throughout this specification.

1 is a schematic diagram of an open wireless communication system suitable for applying the packet inspection apparatus of the present invention, which includes a plurality of wireless clients 102/1-102/4, a plurality of wired clients 104/1, 104/2, Servers or websites 106/1-106/3 and the wireless communication device 108 and the Internet 110 that physically connect them, and the like, and between the wireless communication device 108 and the Internet 110. The packet inspection apparatus 112 of the present invention may be connected to the communication path of the present invention. Here, the wireless communication device 108 may be an open wireless LAN such as, for example, Wi-Fi.

Referring to FIG. 1, communication packets including IDs and contents of communication entities communicate with each other (transmission and reception) between each wireless client and each wired client or between each wireless client and each server or website. The packet inspection device 112 of the present invention physically connected between the Internet and the Internet 110 captures and inspects communication packets (or data packets) that communicate with each other for security, crime prevention, and the like. This will be described in detail with reference to FIGS. 2 and 3.

2 is a block diagram of a packet inspection apparatus using metadata classification according to the present invention, which includes a DPI extraction block 202, a metadata-based classification block 204, an information storage block 206, a control block 208, Analysis processing block 210, metadata information update block 212, and the like. Here, the information storage block 206 may include an uninterested classification table 2062, an interesting classification table 2064, a suspected classification table 2066, a detailed analysis analysis registration DB 2068, and the like.

Referring to FIG. 2, the DPI extraction block 202 captures a communication packet from a communication path between the wireless communication device 108 and the Internet 110, that is, based on a search control command provided from the control block 208 described later. Capturing communication packets of communication entities in an open network communication environment, extracting metadata from communication packets of the corresponding communication layer to be captured, and transferring the extracted metadata to the metadata-based classification block 204. To provide.

That is, the DPI extraction block 202 searches for not only the communication head but also the contents of the communication packet itself with respect to the network communication packet that is captured and inputted, and the communication related information corresponding to the lower layer is based on the OSI layer model. Rather, it extracts application level information and user level information included in the upper layer.

Next, the metadata-based classification block 204 corresponds to the metadata classification table pre-stored in the information storage block 206, that is, similarity comparison using the uninterested classification table 2062 and the interest classification table 2064. Based on the OSI layer model, it is determined whether the metadata extracted from the communication layer is uninterested information, interest information, or suspicious information, and the corresponding decision signal, that is, uninterested information corresponding to uninterested information, is determined. A signal, an interest determination signal corresponding to the object of interest information, or a doubt determination signal corresponding to the object of interest information may be selectively generated and transmitted to the control block 208.

To this end, the information storage block 206 includes a metadata classification table consisting of a plurality of preset information of interest and a plurality of preset information of interest, that is, the uninterested classification table 2062 and the interest classification table ( 2064) and a suspect classification table 2066 for storing metadata of the suspect object.

Here, the metadata used is related to data that can be extracted for the communication of the packet from the lower layer to the upper layer based on the OSI layer model, and from the user defined lower search rank to the upper search rank in the application layer. The information may refer to additional information that provides a criterion for the communication. For example, assuming that the packet captured for inspection is a packet for transmitting an e-mail, the metadata for this may be as follows.

Information associated with the title

Information related to the body

Sender Name or Email Address

One or multiple recipient names or email addresses

Receive form (eg, direct receive, accusation, blind reference, etc.)

What the words in your email address mean

Embedded information (eg, information contained in electronic business cards, images, structured data, etc.)

Linked information (e.g., information related to the linking address included in the email)

Attached information (eg, information related to the attached Word file)

Information on when the email was sent

Geographic information of the sender of the email

Geographic information of the email recipient

Email related solution information

Communication related network connection information

That is, as described above, the classification of the packet using metadata may be classified into a packet of interest and a packet of interest. The packet of interest belongs to a packet of interest and a packet suspected of interest. The target packet may belong to packets that have been identified as not belonging to the packet of interest in the entire packet.

In other words, the main classification criteria used in the metadata-based classification according to the present invention is a classification table using uninterested target information, and metadata about communication packets corresponding to lower layers in the OSI layer model for uninterested packet input. From the contents of the to the contents of the metadata for the communication packet corresponding to the upper layer, in the case of the application layer may be configured to include a gradually increasing content from the user-defined lower search ranking to the upper search ranking.

For example, when the packet inspection technique of the present invention is used by law enforcement agencies, service providers, companies, and the like for security, such as police or prosecutors, the target of interest may use information about a specific target, which is well known, This may be a specific keyword to be aware of. For example, if the identity of the interested person is known as 'yubin_park', these are information about the interested user. In this case, it may be a secret word, such as 'xxx' in 'xxx project'. In addition, communication-related information except for these interested objects may be classified as uninterested objects. That is, the target of interest may be regarded as a search word to be noted in the communication and a set thereof, and the uninterested target may be contents other than those of communication related contents.

In this case, the metadata-based classification block 204 may perform the determination of the validity (determination) of the uninterested classification table and the extracted metadata at predetermined periodic intervals. When determined not to be of interest, such a determination may be inaccurate since the determination is dependent on data at the time of inspection. Therefore, by examining the contents of communication by the communication entity at a certain communication time point (e.g., when a certain amount of communication occurs after a decision or when a certain time has elapsed, etc.), the previous judgment (decision) is reexamined. can do. In this case, the predetermined periodic period may be arbitrarily set by the interested requestor (inspector requester) or the search service operator. Here, the test requestor (interest requester) may be located in, for example, an adjacent area of the packet inspecting apparatus or a remote place that can be connected to the packet inspecting apparatus via a network such as the Internet.

In addition, the metadata-based classification block 204 is a suspicion packet corresponding to the suspicious packet belonging to the object of interest, that is, when it is determined that it is not the object of interest but is a suspicious object, the suspicious decision corresponding thereto. Provides a function such as generating a signal and passing it to the control block 208.

For example, suppose that in an open network communication where the communication contents of an object named yubin_park are checked, there is an object classified as aaa_park and a communication object named yubin99. For example, when a mail account of a specific person does not match according to a server. Considering that there is, for example, may be modified in the form of xxx@hotmail.com, xxx_yyy@yahoo.com, xxx99@gmail.com and the like. In this case, if yubin_park is of interest, an entity named aaa_park or yubin99 may be classified as the communication contents of the suspect, and communication packets transmitted from their IDs may be classified as the suspect packets. At this time, whether the communication contents of the suspected communication entity actually correspond to the communication of interest is analyzed by using a DPI technique that analyzes the contents of the communication packet, that is, the contents of the body including the normal packet head inspection. It can be done in a way.

If, after analyzing the mail contents of the suspected aaa_park object and the yubin99 object, it is determined that the aaa_park object has the last name of Park and the first name is Munsu, then the aaa_park object has the same last name but the same name. After analyzing the communication content of another entity, yubin99, if it is found that the person's name is Yubin99, yubin99 is registered with the details of yubin_park of interest (registered in the interest classification table). Will be used for packet inspection.

Next, the control block 208 generates a search control command to proceed to the processing process for the next communication entity when the uninterested determination signal corresponding to the uninterested information is provided from the metadata-based classification block 204. And the result is passed to the DPI extraction block 202. As a result, the DPI extraction block 202 stops further inspection of the corresponding packet and proceeds to examining the contents of the next communication packet. Effectively reducing the processing load at block 202. Here, the control block 208 may perform a function such as transferring metadata, which is uninterested information, to the metadata information update block 212 together with an addition or update control command.

In addition, when the interest determination signal corresponding to the interest information is provided from the metadata-based classification block 204, the control block 208 skips an additional comparison and classification process for the corresponding communication entity and pre-defined user interest policy. After executing the control command for the next communication entity is generated and transmitted to the DPI extraction block 202, the DPI extraction block 202 will proceed to the processing process for the next communication entity.

At this time, the analysis of the details of the communication entity of interest may be performed through the analysis processing block 210, the analysis results of the details are transferred to the control block 208, the details in the information storage block 206 It may be selectively stored in the history analysis registration DB (2068). In addition, the detailed breakdown analysis result thus selected and stored may be utilized in the user interest policy. Here, the control block 208 may perform a function such as transferring metadata, which is information of interest, to the metadata information update block 212 together with the addition or update control command.

That is, the analysis processing block 210 details the communication contents of the corresponding communication entity transmitted from the DPI extraction block 202 according to the search control command from the control block 208 when the extracted metadata is the information of interest. And the analysis result of the details are transmitted to the control block 208, and the like.

Here, the user interest policy may, for example, transmit (transmit) the communication contents of the communication entity of interest to a preset inspection requester, notify or notify the inspection requester of the results of processing the information of interest, or transmit the contents of the communication entity. It may be at least any one of keeping the tracking result, deleting the communication contents of the communication entity, or continuously blocking communication of the communication entity.

For example, if a communication object of interest such as yubin_park or yubin99 is of interest or a word of interest such as 'xxx project' appears in the communication content, the control block 208 cares about the communication content of the communication object. The requestor can be sent to a law enforcement agency, service provider or company manager, such as a police or prosecution service, so that the requester of interest can perform further in-depth analysis of the details of the entity's communication.

In this case, the control block 208 may transfer the communication content of interest to a separate processing block (not shown), which is difficult to analyze in detail due to the processing capability or other performance constraints of the packet inspection apparatus. Or some of the contents are encrypted or difficult to interpret, this is to allow the separate processing block to process the packet processing (analysis of the details) for this, thereby preventing and reducing the performance degradation of the packet inspection apparatus. Dispersion effect can be realized. Here, the separate processing block may be mounted in the packet inspection apparatus or in an apparatus located in an adjacent area of the packet inspection apparatus. In addition, the control block 208 may transmit the communication content of interest to the preset test requestor for in-depth analysis of the details.

Further, when it is determined that the inspection up to the last step is not finished, the control block 208 proceeds to the upper layer of the corresponding communication layer to perform metadata extraction and determination from the related layer information and the communication contents of the corresponding communication entity. Provides a function such as generating a search control command to the DPI extraction block 202.

In addition, when the suspicious decision signal for the determination from the metadata-based classification block 204 to the highest layer is provided, the control block 208 uses the suspicious information as the interest information according to a predefined user suspicious policy. After deciding whether to process or process with uninterested information (policy enforcement), the information of the suspected taxonomy 2066 is added to the interested taxonomy 2064 or the uninterested taxonomy 2062. After that, the suspicious information is processed according to a predefined information processing policy of interest or uninterested information processing policy.

For example, a packet analysis of the suspicious yubin99 to the application level is difficult to determine whether the corresponding entity is the same as yubin_park, or the communication containing the word 'xxx project' refers to the 'xxx project'. In some cases, it may be difficult to determine whether the contents are included, and this case may be determined as a suspicious object, and the contents of communication of the object are regarded as suspicious objects, and a predefined user suspicious policy will be executed.

That is, the present invention, as can be seen from the above, by pre-classifying the application using the metadata, which is the communication-related information of the granular unit, and by simultaneously reviewing not only the communication itself but also the contextual information, communication It is possible to apply security techniques using the overall situation of the situation and activities and the causal relationship and association between each communication.

For example, if you are tracking the communication of a criminal named yubin_park, and analyzed the previous communication records, the target of yubin_park frequently visits the website www.xxx.com, mainly uses the YYY mail service, and the zzz file. Suppose you are sharing a file with another person via a server, and you frequently exchange messages with someone who uses the ccc account and Lim Kuk-jeong, who uses the ddd account.

In this case, in theory, yubin_park may be tracked by the target, but such a setting may be achieved when a person named yubin_park communicates with an identity of yubin99 using, for example, an illegal phone (aka, cannon phone), a car name, or a fake identity. It can be useless. In order to prevent such a case, the function of additionally analyzing the contextual information of the communication of the interested party is provided as described above, so that when the result of analyzing the communication pattern of the yubin99 indicates the similarity with the communication pattern of the former yubin_park It is considered suspicious and can be handled according to a predefined user suspicion policy that includes continuing tracking and communication blocking.

Finally, metadata information update block 212 optionally passes metadata from the control block 208 along with the addition or update control instructions for metadata that is of interest, metadata of interest, or metadata of doubt. Add or update to the uninterested taxonomy 2062, the interested taxonomy 2064, or the suspected taxonomy 2066 when stored, which may add or update stored uninterested information, In order to make the information of interest and information of suspicious information available for later retrieval (packet inspection).

Next, a series of processes for performing packet inspection using metadata classification using the packet inspection apparatus of the present invention having the above-described configuration will be described in detail with reference to FIG. 3.

3 is a flow chart illustrating the main process of inspecting a packet using metadata classification in accordance with the present invention.

Referring to FIG. 3, in the DPI extraction module 202, when a search control instruction for packet inspection is transmitted from the control block 208 (step 302), the DPI for extracting metadata is performed, that is, open network communication. Metadata is extracted from the communication related information of the corresponding communication layer captured in the environment, and the extracted metadata is transmitted to the metadata-based classification block 204 (step 304). In this case, the network communication packet captured and input may perform a function of searching not only the communication head but also the contents of the communication packet itself, which is applied to the upper layer as well as the communication related information corresponding to the lower layer based on the OSI layer model. The extraction function up to the included application level information and user level information may be performed.

Next, in the metadata-based classification block 204, the OSI hierarchy model is compared based on a similarity comparison using the uninterested classification table 2062 and the interest classification table 2064 previously stored in the information storage block 206. Whether metadata extracted from the communication layer is uninterested information (step 306) or interest information (step 308), or whether DPI execution on the communication object has reached the final level (step 310). Judge. In other words, the process of packet inspection is carried out to the upper layer to extract and determine the information about the packet (uninterest object determination, interest object determination, suspicious object determination) is metadata extraction and determination up to the highest level (final stage). This is done to determine whether it is uninterested, interested or suspicious.

As a result of the determination in step 306, if the extracted metadata is determined to be uninterested information, the metadata-based classification block 204 determines a non-interest corresponding to a corresponding decision signal, that is, uninterested information. A signal is generated and passed to the control block 208, and in response, the control block 208 generates a control command for stopping an additional DPI and sends it to the DPI extraction block 202, resulting in a DPI extraction block 202. C) suspend additional inspection for that packet (stop further DPI operations and processing for that packet) (step 312). In other words, when the communication entity is uninterested, such a processing (additional DPI stop) technique may effectively reduce the processing load in the DPI extraction block 202.

In addition, the control block 208 transfers metadata, which is uninteresting information, to the metadata information update block 212 together with the addition or update control command, and in response, the metadata information update block 212 receives the control block ( Metadata, which is the uninterested object information transmitted from 208, is added or updated to the uninterested classification table 2062 (step 314). Here, adding or updating the metadata of the uninterested object information to the uninterested object classification table 2062 is so that the uninterested object information stored in the added or updated can be utilized in a later search (packet inspection).

The DPI extraction block 202 then proceeds to inspect the contents of the next communication packet when the search control command is provided from the control block 208 to command the next communication entity (ie, to the processing process of the next communication entity). Proceed) (step 326).

If it is determined that the extracted metadata is the object of interest information, the metadata-based classification block 204 determines the corresponding determination signal, that is, the interest determination signal corresponding to the object of interest information. Is generated and passed to the control block 208, in response, the control block 208 omits an additional comparison and classification process for the communication entity and executes a predefined user interest policy (step 316). In this case, the predefined user interest policy may be configured to notify or transmit a content of interest to a preset requester of interest or to transmit a communication content, keep track of the communication object, delete the communication content, or communicate the communication object. At least one or more of the policies to continue to block.

At this time, the analysis of the details of the communication entity of interest may be performed through the analysis processing block 210 according to the control from the control block 208, and the analysis result of the details is transferred to the control block 208. The information may be delivered and stored in the detailed analysis analysis registration DB 2068 in the information storage block 206, and the analysis result of the detailed analysis may be used for a user interest policy.

In this case, the communication contents of interest may be delivered in a separate processing block or transmitted to a preset inspection requester, which is difficult to analyze in detail due to processing capability or other performance constraints of the packet inspection apparatus. Or some of the contents are encrypted or difficult to interpret, this is to allow the separate processing block to process the packet processing (analysis of the details) for this, thereby preventing and reducing the performance degradation of the packet inspection apparatus. Dispersion effect can be realized. Here, the transmission of the communication content of interest to the preset test requestor is to enable the test requester to deeply analyze the details.

In addition, the control block 208 transfers the metadata of interest information to the metadata information update block 212 together with the addition or update control command, and in response, the metadata information update block 212 controls the control block 208. Metadata, which is the information of interest delivered from), is added or updated to the interest classification table 2064 (step 318), and subsequent processing proceeds to step 326. Here, the addition or update of the metadata of the interest information to the interest classification table 2064 is performed so that the interest information that is added or updated may be utilized in a later search (packet inspection).

On the other hand, if it is determined that the check in step 310 is not the final step, that is, the non-interest and interest information is determined not to be the final step, the control block 208 metadata that is suspect information. Is transmitted to the metadata information update block 212 together with the addition or update control command, and in response, the metadata information update block 212 classifies the metadata, which is suspect information received from the control block 208, into the suspect object classification. Add or update storage in table 2066 (step 320), and then processing moves to the next step (higher hierarchy) and proceeds to step 304 described above. Here, the addition or update of the metadata of the suspected information to the suspected classification table 2066 is made so that the suspected information stored in the added or updated can be utilized in a later search (packet inspection).

If the result of the check in step 310 determines that the final step of the inspection has been reached without being of interest information or interest information, the control block 208 determines the suspect object according to a predefined user suspect object policy. After deciding whether to treat the information as of interest or uninterested information (policy enforcement) (step 322), add the information from the suspect classification to the interest or uninterested taxonomy. In operation 324, the processing is performed according to a predefined target information processing policy or uninterested information processing policy.

In the above description has been described by presenting a preferred embodiment of the present invention, but the present invention is not necessarily limited to this, and those skilled in the art to which the present invention pertains within a range without departing from the technical spirit of the present invention It will be readily appreciated that branch substitutions, modifications and variations are possible.

202: DPI Extraction Block 204: Metadata-Based Classification Block
206: information storage block 208: control block
210: analysis processing block 212: metadata information update block
2062: Taxonomy of Interest 2064: Taxonomy of Interest
2066: suspected classification 2068: detailed breakdown analysis registration DB

Claims (22)

delete Performing a DPI for extracting metadata related to a communication packet of a communication entity in an open network communication environment;
Through similarity comparison using the uninterested classification table in the previously stored metadata classification table, it is checked whether the extracted metadata is uninterested information, and then similarity comparison using the interest classification table in the metadata classification table. Checking whether the extracted metadata are information of interest;
When the uninterested target information is included, proceeding to a processing process for a next communication entity;
Executing the user interest policy predefined for the communication entity when the interest information is the interest information
Packet inspection method using metadata classification comprising a. 3. The method of claim 2,
The method comprises:
Adding or updating the extracted metadata to the uninterested classification table when the extracted metadata is the uninterested target information.
Packet inspection method using metadata classification further comprising. 3. The method of claim 2,
The method comprises:
Adding or updating the extracted metadata to the target interest classification table when the extracted metadata is the target interest information
Packet inspection method using metadata classification further comprising. 5. The method of claim 4,
The method comprises:
When the extracted metadata is the object of interest information, transferring the extracted metadata to an analysis processing block and performing detailed breakdown analysis on the communication contents of the communication entity;
Packet inspection method using metadata classification further comprising. 5. The method of claim 4,
The method comprises:
Transmitting the communication contents of the communication entity to a preset test requestor when the extracted metadata is the object of interest information;
Packet inspection method using metadata classification further comprising. Performing a DPI for extracting metadata related to a communication packet of a communication entity in an open network communication environment;
Checking whether the extracted metadata is uninterested or interested information through similarity comparison using a pre-stored metadata classification table;
When the uninterested target information is included, proceeding to a processing process for a next communication entity;
Executing the user interest policy predefined for the communication entity when the interest information is the interest information
/ RTI >
The user interest policy,
At least any one of notification or transmission of communication content to the requester of interest, transmission of communication content, tracking and keeping of the communication object, deletion of the communication content, and continuous blocking of the communication object.
Packet inspection method using metadata classification. Performing a DPI for extracting metadata related to a communication packet of a communication entity in an open network communication environment;
Checking whether the extracted metadata is uninterested or interested information through similarity comparison using a pre-stored metadata classification table;
When the uninterested target information is included, proceeding to a processing process for a next communication entity;
Executing the user interest policy that is predefined for the communication entity when the interest information is used;
If the metadata extracted from the corresponding communication layer is not the uninterested or interested information, proceeding to a higher layer to perform metadata extraction and determination from related layer information and communication contents of the corresponding communication entity.
Packet inspection method using metadata classification comprising a. The method of claim 8,
The method comprises:
When it is determined that the check result up to the top layer is suspected, it is determined whether to treat the suspected information as the interested information or the uninterested information according to a predefined user suspected policy. Process of adding information from the target taxonomy to the taxonomy of interest or taxonomy of interest
Packet inspection method using metadata classification further comprising. The method of claim 9,
The method comprises:
After the adding process, the suspicious information is processed according to a predefined information of interest information processing policy or uninterested information processing policy
Packet inspection method using metadata classification further comprising. Performing a DPI for extracting metadata related to a communication packet of a communication entity in an open network communication environment;
Checking whether the extracted metadata is uninterested or interested information through similarity comparison using a pre-stored metadata classification table;
When the uninterested target information is included, proceeding to a processing process for a next communication entity;
Executing the user interest policy predefined for the communication entity when the interest information is the interest information
/ RTI >
The uninterested target information or the target interested information,
Search term and its set
Packet inspection method using metadata classification. Performing a DPI for extracting metadata related to a communication packet of a communication entity in an open network communication environment;
Checking whether the extracted metadata is uninterested or interested information through similarity comparison using a pre-stored metadata classification table;
When the uninterested target information is included, proceeding to a processing process for a next communication entity;
Executing the user interest policy predefined for the communication entity when the interest information is the interest information
/ RTI >
The extracted metadata is
Information extracted from the lower or higher layers
Packet inspection method using metadata classification.
delete A DPI extraction block for extracting metadata related to a communication packet of a communication entity in an open network communication environment based on a search control command;
An information storage block for storing a metadata classification table having a plurality of preset information of interest and a plurality of preset information of interest;
The similarity comparison using the metadata classification table stored in the information storage block determines whether the extracted metadata is information of interest or information of interest, and generates a corresponding determination signal. The extracted metadata A metadata-based classification block that re-determines whether or not the previous judgment on the communication contents of the corresponding communication entity is set at predetermined intervals when the information of interest is uninterested information;
When an uninterested determination signal corresponding to the uninterested object information is generated, the search control command for generating a processing process for the next communication entity is generated, and when an interest determination signal corresponding to the interested object information is generated. And a control block for generating the search control command to execute a predefined user interest policy for the communication entity.
Packet inspection apparatus using metadata classification comprising a. 15. The method of claim 14,
The predetermined constant period interval,
Can be arbitrarily set by the preset scan requester or search service operator
Packet inspection apparatus using metadata classification. A DPI extraction block for extracting metadata related to a communication packet of a communication entity in an open network communication environment based on a search control command;
An information storage block for storing a metadata classification table having a plurality of preset information of interest and a plurality of preset information of interest;
After determining whether the extracted metadata is uninterested information through similarity comparison using the uninterested classification table in the metadata classification table stored in the information storage block, and using the interested interest classification table in the metadata classification table. A metadata-based classification block that determines whether the extracted metadata is information of interest through similarity comparison and generates a corresponding determination signal;
When an uninterested determination signal corresponding to the uninterested object information is generated, the search control command for generating a processing process for the next communication entity is generated, and when an interest determination signal corresponding to the interested object information is generated. And a control block for generating the search control command to execute a predefined user interest policy for the communication entity.
Packet inspection apparatus using metadata classification comprising a. 17. The method of claim 16,
The apparatus comprises:
A metadata information update block for adding or updating the extracted metadata to the uninterested classification table when the extracted metadata is the uninterested target information;
Packet inspection apparatus using metadata classification further comprising. 17. The method of claim 16,
The apparatus comprises:
When the extracted metadata is the object of interest information, the metadata information update block for adding or updating the extracted metadata to the object of interest classification table.
Packet inspection apparatus using metadata classification further comprising. 19. The method of claim 18,
The apparatus comprises:
An analysis processing block for analyzing details of communication contents of the communication entity when the extracted metadata is the object of interest information;
Packet inspection apparatus using metadata classification further comprising. 19. The method of claim 18,
The control block includes:
When the extracted metadata is the object of interest information, the communication content of the communication entity is transmitted to a preset test requestor.
Packet inspection apparatus using metadata classification. A DPI extraction block for extracting metadata related to a communication packet of a communication entity in an open network communication environment based on a search control command;
An information storage block for storing a metadata classification table having a plurality of preset information of interest and a plurality of preset information of interest;
A metadata-based classification block that determines whether the extracted metadata is uninterested or of interest information through similarity comparison using the metadata classification table stored in the information storage block, and generates a corresponding determination signal; ,
When an uninterested determination signal corresponding to the uninterested object information is generated, the search control command for generating a processing process for the next communication entity is generated, and when an interest determination signal corresponding to the interested object information is generated. Generate the search control command to execute a predefined user interest policy for the communication entity; and if the metadata extracted from the corresponding communication layer is not the uninterested or interested information, proceed to a higher layer. Control block for generating the search control command to perform metadata extraction and determination from related layer information and communication contents of the corresponding communication entity.
Packet inspection apparatus using metadata classification comprising a.
22. The method of claim 21,
The control block includes:
When a suspicious decision signal for the decision from the metadata-based classification block to the highest layer is provided, a predefined user suspicious policy is executed.
Packet inspection apparatus using metadata classification.

Images