KR101466944B1 - Method for controlling application data and network device thereof - Google Patents

Method for controlling application data and network device thereof Download PDF

Info

Publication number
KR101466944B1
KR101466944B1 KR1020130009129A KR20130009129A KR101466944B1 KR 101466944 B1 KR101466944 B1 KR 101466944B1 KR 1020130009129 A KR1020130009129 A KR 1020130009129A KR 20130009129 A KR20130009129 A KR 20130009129A KR 101466944 B1 KR101466944 B1 KR 101466944B1
Authority
KR
South Korea
Prior art keywords
application data
application
information
received
operating system
Prior art date
Application number
KR1020130009129A
Other languages
Korean (ko)
Other versions
KR20140096525A (en
Inventor
하성진
Original Assignee
주식회사 시큐아이
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 시큐아이 filed Critical 주식회사 시큐아이
Priority to KR1020130009129A priority Critical patent/KR101466944B1/en
Publication of KR20140096525A publication Critical patent/KR20140096525A/en
Application granted granted Critical
Publication of KR101466944B1 publication Critical patent/KR101466944B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/14Network-specific arrangements or communication protocols supporting networked applications for session management
    • H04L67/141Network-specific arrangements or communication protocols supporting networked applications for session management provided for setup of an application session
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources

Abstract

The present invention relates to a method of controlling application data on a network device and the like. The operating system and application are identified using an access request message and application data received from an arbitrary client apparatus, It is possible to selectively control the use of unlimited applications and access requests on mobile devices.

Description

[0001] METHOD FOR CONTROLLING APPLICATION DATA AND NETWORK DEVICE [0002] BACKGROUND OF THE INVENTION [0003]

The present invention relates to a method of controlling application data and a network device therefor, and more particularly, to a method of identifying an application and an operating system to control connection and the like related to application execution.

Since the late 1990s, several security companies have been using network security technologies such as firewalls, virtual private networks (VPNs), intrusion detection systems (IDS), intrusion prevention systems (IPS) , Anti-spam, email security, and web security.

In addition, network-based applications that provide network-based services are becoming increasingly popular and popular. Accordingly, techniques for identifying and controlling network-based applications on a network are also developing. In addition, control is being extended to control applications based on data in packets that exceed the level of allowing or blocking packets based on IP address and port information in existing firewalls or Unified Threat Management (UTM) devices.

Meanwhile, due to the development and popularization of mobile devices, environments where network-based applications are used are expanded from operating systems such as Windows, Linux, MacOS, and UNIX on computers to operating systems such as Android and iOS have. Therefore, there is a limitation in controlling only the application used in the unauthorized mobile device, since it is determined whether the application is allowed / blocked only by identifying and controlling the application in the security device such as the existing UTM device.

The present invention provides a method for controlling a network-based application to be used separately in an authorized device.

The present invention analyzes a data packet generated by a network-based application and determines an application and an operating system to control the corresponding data packet.

A method of controlling application data on a network device according to an embodiment of the present invention includes: receiving a message relating to a connection request from an arbitrary client device; Identifying an operating system installed in the arbitrary client apparatus based on the received connection request message; Receiving application data from any of the client devices; Identifying an application using the received application data; And applying the identified operating system information and application information to the control information pre-stored in the network device to control application data transmitted and received with the arbitrary client device.

A network device for controlling application data according to an embodiment of the present invention includes: a communication unit for receiving a message and application data related to a connection request from an arbitrary client apparatus; An operating system identification unit for identifying an operating system mounted on the arbitrary client apparatus based on a message related to the received connection request; An application identification unit for identifying an application using the received application data; A storage unit for storing control information for controlling application data, and a control unit for controlling application data transmitted and received by the arbitrary client apparatus by applying the identified operating system information and application information to the control information.

According to the present invention, not only an operating system of a device that transmitted a data packet but also an application can be identified to enable sophisticated security processing.

1 is a system configuration diagram for an application data control method according to an embodiment of the present invention.
2A to 2C show a format of a message or data used in an application data control method according to an embodiment of the present invention.
3 is a block diagram of a configuration of a network device for controlling application data according to an embodiment of the present invention.
4 is a flowchart illustrating a method of controlling application data according to an exemplary embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, the detailed description of known functions and configurations incorporated herein will be omitted when it may unnecessarily obscure the subject matter of the present invention.

1 is a system configuration diagram for an application data control method according to an embodiment of the present invention. Referring to FIG. 1, at least one client device (client device 1, client device 2, client device 3) transmits a connection request for session connection to the host 100, (Not shown). The network device 200 according to an embodiment of the present invention can identify the operating system of the device in which the corresponding message is generated with respect to the connection request message arriving at the host 100. [ In addition, the network device 200 can receive application data related to the operation of any application executed in the client device, and can also identify the application using the format or rule of the application data. The network device 200 may block or pass the corresponding message based on the identified operating system and application.

For example, it is assumed that a messenger application for sending and receiving an instant message is installed in the client 1. [ The client 1 may attempt to make a connection request to the host 100 using the messenger application. The host 100 can receive the SYN packet in the connection request message and identify the operating system mounted on the client 1 from the packet. The SYN packet may include information having a different value for each OS in the IP header information and the TCP header information. Figure 2A illustrates the format of the IP header, and Figure 2B illustrates the format of the TCP header. Referring to FIG. 2A, the IP header may include a type of service (TOS), an Internet header length (IHL), an identification, a time to live (TTL), and IP flags. TTL represents the service type, IHL represents the length of the IP header, Identification represents the combination number of the fragmented packet, TTL represents the time or the number of times the datagram is maintained, and IP Flags represents the setting value for the presence / . You can set unique values for these options by operating system. Even if the operating system is different, you can set the same value for that option. For example, in the Windows 7 and Windows 2000 operating systems, the TTL may be set to 128 in the IP header of the SYN packet, and may be set to 64 in the Linux kernel 2.4. The network device 200 according to the present invention can identify the operating system using the IP header information included in the SYN packet.

2B, the TCP header includes a window size, an MSS (Maximum Segment Size), a Timestamp, a Window Scale Factor (WS), a Selective Acknowledgment (SACK), a NO Operation (NOP) . ≪ / RTI > The Window (Window Size) represents the size of the window that can be received at the receiving side, that is, the data size. MSS (Maximum Segment Size) represents the maximum size of the TCP data segment to be transmitted. Timestamp is an option WS (Window Scale Factor) is an option for scaling window size, and SACK (Selective Acknowledgment) is an option for selective retransmission of lost packets. For example, in the case of Windows 7, the Window Size is set to 8192, the MSS is set to 1460, the Windows scale is set to 2, the SACK is set to permitted set, and the NOT count can be set to 3 times.

Since some header information may be the same depending on the operating system, the present invention can finally determine the operating system by extracting all possible information of the SYN packet that can identify the operating system.

In addition, the network device 200 according to the present invention can transmit a response message (ack) to the client 1 after receiving the SYN packet. By transmitting a response message to the ack, the client 1 can connect the session between the client 1 and the host 100. [

Next, in the client 1, the messenger application can be executed and application data for communicating with the host 100 using the connected session can be transmitted. The "application data" of the present invention may include any message generated in connection with execution of an application installed in the clients 1 to 3. In the present invention, applications are identified using application data. Specifically, a payload of a data packet by the TCP or UDP protocol may have a certain format (format) or rule in the message for each application. For example, FIG. 2C illustrates a part of the information included in the message transmitted from the messenger application, that is, the application data. Referring to FIG. 2C, in the MSN application, when sending a connection request message to the host 100, a message including a response format of " MSN 3 N 164 " may be transmitted to the message. As another example, application data generated by an application called Nate ON may include a format called " MESG 7 TYPING 1 ", and a Yahoo application may include a format called " YMSG 0011 ". The network device 200 of the present invention can identify an application by referring to a format or rule of application data. If the format of the application data is a new format, the application can not be identified, so it can be blocked / restricted according to the policy.

When the network device 200 identifies the operating system and the application of the client 1, the network device 200 can control the application data by determining whether or not to permit subsequent transmission and reception of the application data. At this time, the network device 200 can use the previously stored control information. The control information may comprise a set of information about an acceptable message. For example, the control information may include a destination information such as a source IP address and port information, destination information such as destination IP address and port information, operating system information, protocol information, or a set of application information. When the message is included in the list included in the control information, the network device 200 can transmit a response message to the application data and allow the response message. Conversely, if the application data is not matched within the control information, the application data can be blocked. For example, if the source information, the destination information, the port information, and the OS information are matched to the control information but are not present in the control information, the application can be blocked. In addition, the control method of the application data performed in the network device 200 may be performed by a known method such as communication allowance, detection and blocking performed in the security device.

According to this method, in the present invention, even if the data on the permitted application is not received, the application device can block the application data when it is not received from the client device 1, and the network device 200 can transmit a reject message Application data can be blocked by transmitting.

Meanwhile, the network device 200 of the present invention is an arbitrary device capable of transmitting and receiving data through a network. As in the present invention, the network device 200 is a UTM (Unified Treat Managemnt) capable of performing security processing, ) Equipment, or any other device capable of performing integrated security management. The network device of the present invention may be configured independently of the host 100 as illustrated in FIG. 1, but may be included in and operate on the host 100 according to an embodiment. In this case, 100 and the network device 200, respectively.

3 is a block diagram of a configuration of a network device for controlling application data according to an embodiment of the present invention. 3, a network device 200 according to an exemplary embodiment of the present invention includes a communication unit 210 for receiving a connection request message and application data from an arbitrary client apparatus, a message related to the connection request An application identification unit 230 that identifies an application using application data received after connecting a session with the arbitrary device, A storage unit 240 for storing control information set in the device, and a control unit 250 for controlling the application data transmitted / received to / from the arbitrary device by applying the identified operating system information and application information to the control information .

The communication unit 210 may receive messages or data transmitted from any device, i.e., the client devices of FIG. 1, or may transmit messages to them. The message received from the client devices may be, for example, a session connection request message used at the initial connection request. In addition, the communication unit 210 can receive the application data after the session is connected by receiving and responding to the session connection request message. The communication unit 210 may include a network interface card for transmitting and receiving messages, for example.

The operating system identification unit 220 can identify the operating system of the device from the SYN packet included in the session connection request message received by the communication unit 210. As described above, it is possible to extract all information identifying the operating system from the IP header and the TCP header information included in the SYN packet, and combine them to identify the operating system.

The application identification unit 230 can identify the application through the application data received after the session is connected between the client apparatus and the host according to the reception and response of the SYN packet. That is, as described above, in order to identify the application, it is possible to determine whether the corresponding rule is included in the payload of the application data by using the format or rule of the message used for each application.

The storage unit 240 may store control information for controlling application data according to an embodiment of the present invention. The control information may be configured as a table of source information, destination information, operating system information, or a set of application information for a plurality of data allowed in the network equipment, and the information may be set and changed. In addition, the storage unit 240 may include information for referencing to identify the operating system and the application. For example, it may be information of a SYN packet used for each operating system or a message format used for each application.

The control unit 250 can perform control processing of application data using the operating system and application information identified by the operating system identifying unit 220 and the application identifying unit 230. [ For example, when the received application data is matched to a part of the previously stored control information, the control unit 250 may control the communication unit 210 to transmit a response message to the application data to allow the application data, If not, a message can be sent to block or restrict the message.

4 is a flowchart illustrating a method of controlling application data according to an exemplary embodiment of the present invention.

In step S11, a message relating to the connection request is received from the client apparatus. The message regarding the connection request may include a SYN packet as a session connection request message. Meanwhile, in the present specification, passive OS fingerprinting is described in the case of transmitting a connection request message to the client device first, but the present invention is not limited thereto. For example, according to the active operating system identification, the network device first transmits an access request message to the client device, and when receiving the response message, the operating system can be identified using the response message.

And identifies an operating system mounted on the arbitrary client apparatus based on the message related to the connection request received in step S12. Operating system information can be determined by extracting information identifiable by the operating system as SYN packet information included in the message relating to the connection request.

When the operating system is identified, a response message is sent to a message related to the connection request, and a session is established between the client device and the host (S13).

In step S14, application data is received from any client device using the connected session, and the application is identified using the received application data. The application data may include a message format used regularly for each application as a message generated in connection with execution of an application operating on the arbitrary client apparatus.

In step S15, operating system information and application information are applied to the control information previously stored in the network device to control application data transmitted / received to / from the arbitrary client device. The control method of the application data may be a known method according to the embodiment.

The method of controlling application data according to an embodiment of the present invention has been described above with reference to FIG. The method for controlling application data according to the present invention can be recorded in a computer-readable recording medium with an electronic recording code and executed in a computer or a network device or the like, and the scope of the present invention can be applied to any device in which it is executed.

The preferred embodiments of the present invention have been described above. It is to be understood, however, that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and alternative arrangements included within the spirit and scope of the appended claims. Of course.

Claims (10)

  1. A method for controlling application data on a network device,
    Receiving a message relating to a connection request from any client device;
    Identifying an operating system installed in the arbitrary client apparatus based on the received connection request message;
    Receiving application data from any of the client devices;
    Identifying an application using the received application data; And
    Applying the identified operating system information and application information to the control information pre-stored in the network device, and controlling application data transmitted and received with the arbitrary client device.
  2. The method according to claim 1,
    Wherein the message relating to the connection request includes a session connection request message,
    Wherein the received application data includes a message generated in connection with execution of an application running on any of the client devices.
  3. The method according to claim 1,
    Wherein identifying the operating system comprises:
    And using at least one information included in a SYN packet included in the connection request message.
  4. The method according to claim 1,
    Wherein identifying the application comprises:
    A method of identifying an application using the format or rules of a message used by the application.
  5. The method according to claim 1,
    Wherein the pre-stored control information comprises a set of source information, destination information, operating system information, or application information for a plurality of data allowed in the network equipment.
  6. The method according to claim 1,
    Wherein the control of the application data permits the application data when the received application data is matched to a part of the previously stored control information and blocks the application data when the received application data is not matched.
  7. A network device for controlling application data,
    A communication unit for receiving a message relating to a connection request and application data from an arbitrary client apparatus;
    An operating system identification unit for identifying an operating system mounted on the arbitrary client apparatus based on a message related to the received connection request;
    An application identification unit for identifying an application using the received application data;
    A storage unit for storing control information for controlling application data;
    And a control unit for applying the identified operating system information and application information to the control information and controlling application data transmitted / received to / from the arbitrary client apparatus.
  8. 8. The method of claim 7,
    Wherein the message relating to the connection request includes a session connection request message,
    Wherein the received application data includes a message generated in connection with execution of an application operating on any of the client devices.
  9. 8. The method of claim 7,
    Wherein the control unit permits the application data when the received application data matches a part of the previously stored control information and blocks the application data when the received application data does not match.
  10. 8. The method of claim 7,
    Wherein the storage unit is a pre-stored control information, and includes a set of source information, destination information, operating system information, or application information for a plurality of data allowed in the network device.
KR1020130009129A 2013-01-28 2013-01-28 Method for controlling application data and network device thereof KR101466944B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020130009129A KR101466944B1 (en) 2013-01-28 2013-01-28 Method for controlling application data and network device thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020130009129A KR101466944B1 (en) 2013-01-28 2013-01-28 Method for controlling application data and network device thereof

Publications (2)

Publication Number Publication Date
KR20140096525A KR20140096525A (en) 2014-08-06
KR101466944B1 true KR101466944B1 (en) 2014-12-03

Family

ID=51744356

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020130009129A KR101466944B1 (en) 2013-01-28 2013-01-28 Method for controlling application data and network device thereof

Country Status (1)

Country Link
KR (1) KR101466944B1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060083918A (en) * 2005-01-18 2006-07-21 마이크로소프트 코포레이션 Application object as primitive of operating system
KR20120021054A (en) * 2010-08-31 2012-03-08 삼성전자주식회사 Method and apparatus for providing application service and thereof system
KR20120089000A (en) * 2011-02-01 2012-08-09 삼성전자주식회사 Apparatus and method for providing application auto install function in digital device
KR101172885B1 (en) * 2008-12-18 2012-08-10 한국전자통신연구원 Apparatus and method for providing device profile using device identifier

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060083918A (en) * 2005-01-18 2006-07-21 마이크로소프트 코포레이션 Application object as primitive of operating system
KR101172885B1 (en) * 2008-12-18 2012-08-10 한국전자통신연구원 Apparatus and method for providing device profile using device identifier
KR20120021054A (en) * 2010-08-31 2012-03-08 삼성전자주식회사 Method and apparatus for providing application service and thereof system
KR20120089000A (en) * 2011-02-01 2012-08-09 삼성전자주식회사 Apparatus and method for providing application auto install function in digital device

Also Published As

Publication number Publication date
KR20140096525A (en) 2014-08-06

Similar Documents

Publication Publication Date Title
US7409714B2 (en) Virtual intrusion detection system and method of using same
EP2201738B1 (en) Router detection
Ford et al. TCP extensions for multipath operation with multiple addresses
US8972571B2 (en) System and method for correlating network identities and addresses
US7552478B2 (en) Network unauthorized access preventing system and network unauthorized access preventing apparatus
CN101802837B (en) System and method for providing network and computer firewall protection with dynamic address isolation to a device
US9407602B2 (en) Methods and apparatus for redirecting attacks on a network
US7360242B2 (en) Personal firewall with location detection
US7100201B2 (en) Undetectable firewall
CA2383247C (en) External access to protected device on private network
US10084813B2 (en) Intrusion prevention and remedy system
US7873038B2 (en) Packet processing
EP2713581A1 (en) Virtual honeypot
US9882876B2 (en) System and method for redirected firewall discovery in a network environment
EP2140656B1 (en) Method and apparatus for detecting port scans with fake source address
US9661009B1 (en) Network-based malware detection
US7610375B2 (en) Intrusion detection in a data center environment
US20160285914A1 (en) Exploit detection system
CN101009607B (en) Systems and methods for detecting and preventing flooding attacks in a network environment
US20120023552A1 (en) Method for detection of a rogue wireless access point
US9591015B1 (en) System and method for offloading packet processing and static analysis operations
KR20040110981A (en) A method and framework for integrating a plurality of network policies
US20140330982A1 (en) Facilitating secure network traffic by an application delivery controller
EP2599276A1 (en) System and method for network level protection against malicious software
US7644436B2 (en) Intelligent firewall

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20181106

Year of fee payment: 5

FPAY Annual fee payment

Payment date: 20191107

Year of fee payment: 6