KR101480438B1 - System for detecting an ip sharer - Google Patents

Abstract

The present invention relates to a system for detecting an IP sharing router, and more particularly, to a system for detecting an illegal IP sharing router which is unauthorized. A system for detecting an IP sharing router according to the present invention includes a packet collecting module for collecting a packet data necessary to detect an IP sharing router among IP packets on an Ethernet network; at least one queue memory for storing a packet having an activated SYB flag among TCP packets, or at least one piece of user-agent information among HTTP data and IP-ID information of an IP header; an IP-ID analysis module for analyzing an IP-ID information increment pattern of the IP header varied with an elapsed time to analyze whether at least two IP-ID increment patterns are detected for an arbitrary time at the same time; and a sharing router determination module for determining an IP sharing router when at least two IP-ID increment patterns corresponding to a single IP are detected at the same time.

Description

SYSTEM FOR DETECTING AN IP SHARER [0002]

The present invention relates to IP sharer detection systems, and more particularly to a system for detecting unauthorized illegal IP sharers.

The use of a network address translation (NAT) router in which a plurality of network devices share and use a single high-speed Internet line provided by an ISP is increasing rapidly. The original NAT scheme was originally developed as a technique for protecting subnetworks from external intrusion. In other words, it does not know the actual IP address assigned to the computer from the outside, making it impossible to hack or crack. Therefore, there is virtually no way to find out who is on the inside of an IP sharer using NAT.

In recent years, however, the use of the Internet by a plurality of computers using the NAT technology has been transformed into a main purpose of the IP sharer, and the use of the IP sharer is increasingly excessive.

Excessive use of IP sharers can cause unexpected and continuous traffic to the network. Moreover, current router technology is very common, and the problem is getting bigger. Therefore, detection of unauthorized illegal IP sharers is becoming an important issue in terms of network resource management.

Some methods for detecting an illegal IP router are described. First, there is a router detection technique using passive fingerprinting. This technique is a method of determining the corresponding OS by using a characteristic that a specific field value of the IP and TCP header in the TCP SYN packet has a certain pattern for each OS. When two or more OSes are detected in the same IP, It is a technology to judge as an IP router. However, in this technology, it is impossible to detect if one network terminal is connected to a router or a network terminal having two or more same OS is connected.

Another IP sharer detection technology is Router Detection technology by reducing TTL. In the case of a router that performs a routing function, the technology detects a packet generated from a PC connected to the router through the router to decrease the TTL value, and determines the router as a router. However, in the case of a router that implements an exception processing so as not to reduce the TTL value, detection is impossible.

Another known IP sharer detection technique is a router detection technique via a user-agent. This technique is based on the fact that the OS-type and version information of the corresponding PC are inserted into the user-agent among the HTTP data header contents generated by the web browser, and the OS in the user-agent analyzed in the same IP is one or more OS or the same OS If it is another version, it is a technology to judge this IP as an IP router. However, these technologies are not detectable without using a web browser and can not be detected even if user-agent values are falsified. In addition, if a single PC is connected to the router or if two or more PCs with the same OS are connected, detection is impossible.

Also, a router detection technique based on an IP-ID pattern is also known. This technology monitors and increases the ID value of the IP header to determine if two or more increase patterns are detected in one IP, to be. However, the pattern is a pattern only appearing in the MS Windows OS series, and is detectable only when there are two or more window-based OSs connected to the router. Since only the number of patterns is considered, there is a high possibility that one pattern is mistakenly determined as two patterns .

As described above, various IP sharer detection technologies already known have limitations in detection of illegal IP sharer since they have respective restrictions. Therefore, there is a need for an illegal IP sharer detection technology to overcome these limitations.

SUMMARY OF THE INVENTION Accordingly, the present invention has been made in view of the above-mentioned needs, and provides an IP router detecting system capable of increasing the detection rate of an illegal IP router by complementing various constraints appearing in various technologies by combining various IP router detecting technologies known in the art And,

It is still another object of the present invention to provide an IP router detecting system capable of detecting a router through IP-ID pattern analysis, and further increasing the router detection rate in consideration of a change in time flow in an IP-ID increase pattern.

According to an aspect of the present invention, there is provided an IP sharer detection system comprising:

A packet collecting module for collecting packet data necessary for detecting an IP router among IP packets on Ethernet transmitted through a network;

One or more queue memories in which at least one of a packet in which a SYN flag of the TCP packet or an IP-ID information of user-agent information or IP header in HTTP data is collected and stored respectively by the packet collecting module;

An IP-ID analysis module for analyzing an increase pattern of the IP-ID information of the IP header which changes with time and analyzing whether two or more IP-ID increase patterns are simultaneously detected at an arbitrary time;

And a router determining module determining that the IP router is an IP router when two or more IP-ID increase patterns are simultaneously detected in one IP,

In another aspect of the present invention, there is provided an IP sharer detection system comprising: a passive fingerprint analysis module for analyzing a SYN flag activated packet to extract OS information being used by a source IP; A TTL pattern analysis module that compares the TTL value in each OS with the initial TTL value for each OS to extract OS information in use and a user-agent data analysis module that extracts the OS information in which the packet is generated by analyzing the user- Wherein the router determination module determines an IP router based on information input from the user-agent data analysis module, the TTL pattern analysis module, the passive fingerprint analysis module, and the IP-ID analysis module, respectively .

According to the embodiment of the present invention as described above, the system of the present invention can be applied to a router detection method using passive fingerprinting, a router detection method using TTL reduction, a router detection method using a user agent, Improved router detection techniques are used in combination. As a result, it is possible to improve the detection rate of illegal IP sharer by complementing the constraints of each technology (or techniques).

Furthermore, the present invention analyzes the IP-ID increase pattern in consideration of the change of the time flow in addition to the existing method of detecting the router through the IP-ID increase pattern analysis, There is an effect that the possibility can be further lowered.

1 is an exemplary block diagram of an IP sharer detection system according to an embodiment of the present invention;
2 is a diagram for describing packet data collected in a packet collection module 100 and stored in a queue memory according to an embodiment of the present invention.
3 is a diagram for explaining a process of analyzing an IP-ID increase pattern according to an embodiment of the present invention.
4 is a diagram for explaining an IP sharer judging process according to an embodiment of the present invention.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a logical block diagram of an IP sharer detection system according to an embodiment of the present invention.

Referring to FIG. 1, the packet collecting module 100 receives packet data necessary for detecting an IP router, for example, a packet in which a SYN flag is activated among TCP packets, HTTP data among user data packets And the IP-ID information of the IP header are collected and stored in the TCP SYN queue 110, the user-agent queue 120, and the IP-ID queue 130 located at the rear end.

The router detection engine 200 basically includes an IP-ID analysis module 240 and a router determination module 250. In addition to these configurations, the router detection engine 200 may include a passive fingerprinting analysis module 210, a TTL pattern analysis module 220, a user-agent data analysis module 230, ≪ / RTI >

The IP-ID analysis module 240, which can configure the router detection engine 200, analyzes the IP-ID increase pattern of the IP header that changes over time, and detects two or more IP-ID increase patterns simultaneously Is analyzed. The operation of the IP-ID analysis module 240 will be described later in detail with reference to FIG.

On the other hand, the passive fingerprint analysis module 210, which can configure the router detection engine 200, analyzes the packets stored in the TCP SYN queue 110, that is, the packet in which the SYN flag is activated, to extract OS information being used by the source IP . That is, the passive fingerprinting analysis module 210 extracts the OS information in use from the corresponding source IP by using a feature having a certain pattern value of the IP field and the TCP header in the TCP SYN packet for each OS, And transmits the information list together with the source IP to the router determination module 250.

Another TTL pattern analysis module 220 capable of configuring the router detection engine 200 compares the TTL value stored in the TCP SYN queue 110, i.e., the packet in which the SYN flag is activated, with the initial TTL value for each OS Extracts OS information in use, and transmits the OS information to the router determination module 250.

For a router that performs routing functions, the TTL value is reduced as the packet from the terminal connected to the router passes through the router. For example, a Windows-based OS generates a first TCP SYN packet with a TTL value of 128, and when it goes through an IP router, its TTL value is decremented by 127. Therefore, when the TTL value is detected as 127, the OS closest to the OS can be estimated as the OS of the window system, and since 1 is decreased from 128, it can be estimated as a packet passing through one IP router. The information transmitted from the TTL pattern analysis module 220 to the router determination module 250 is whether the OS information and the TTL value that are determined as the TTL value in each source IP and the corresponding source IP are decreased.

The user-agent data analysis module 230, which is another module capable of configuring the router detection engine 200, analyzes the user-agent information stored in the user-agent queue 120, And transmits the extracted information to the router determination module 250.

In general, the HTTP header data includes a comment containing the name of the web browser product and OS information. Therefore, OS information of the target device using the source IP can be extracted by comparing the OS distinguishing character string included in the user-agent information stored in the queue 120 with the discrimination string of each OS.

OS type User-OS distinguished string included in agent Windows 95 Win95 Windows 98 Win98 : :

Lastly, the router determination module 250, which is a basic module configuring the router detection engine 200, includes a passive fingerprint analysis module 210, a TTL pattern analysis module 220, a user-agent data analysis module 230, ID analyzing module 240 based on the information input from the ID analyzing module 240. For example, if two or more OSes exist in one IP or a decrease in TTL value is detected through input information, or if two or more IP-ID patterns are simultaneously detected in one IP, Output.

Hereinafter, the operation of the IP sharer detection system having the above-described configuration will be described in more detail with reference to FIG. 2 to FIG.

FIG. 2 is a diagram for explaining packet data collected in the packet memory module 100 and stored in a queue memory according to an embodiment of the present invention. FIG. 3 is a diagram illustrating an IP-ID increase FIG. 5 is a view for explaining a pattern analysis process. FIG. 4 is a diagram for explaining an IP sharer determination process according to an embodiment of the present invention. For reference, in the following description, the router detection engine 200 detects both the passive fingerprint analysis module 210, the TTL pattern analysis module 220, and the user-agent data analysis module 230 in addition to the IP- Will be described below.

 Referring to FIG. 2, the packet acquisition module 100 captures an IP packet on Ethernet transmitted through a network (step S10). Then, the captured packet is analyzed (step S12) to extract the packet in which the SYN flag of the TCP packet, the user-agent information in the HTTP data, and the IP-ID information of the IP header are extracted, and the TCP SYN queue 110, The user-agent queue 120, and the IP-ID queue 130, respectively (S14).

The passive fingerprinting analysis module 210 analyzes a packet stored in the TCP SYN queue 110, that is, a packet in which the SYN flag is activated, to determine a specific field value of the IP and TCP header in the TCP SYN packet, Extracts the OS information in use from the corresponding source IP, and transmits the extracted OS information list together with the source IP to the router determination module 250.

In addition, the TTL pattern analysis module 220 compares the TTL value stored in the TCP SYN queue 110, that is, the packet with the SYN flag activated, with the initial TTL value for each OS, extracts the OS information in use, Information such as OS information determined as a TTL value in the source IP and whether the TTL value is decreased is transmitted to the router determination module 250.

Also, the user-agent data analysis module 230 analyzes the user-agent information stored in the user-agent queue 120, extracts OS information of the source IP equipment in which the packet is generated, and transmits the OS information to the router determination module 250.

Meanwhile, the IP-ID analysis module 240 analyzes the IP-ID increase pattern of the IP header that changes with time, and analyzes whether two or more IP-ID increase patterns are detected simultaneously at an arbitrary time. 3,

First, in the case of the Microsoft Windows OS, the IP-ID has a pattern that increases at regular intervals. Therefore, when two or more IP-ID increase patterns are found in the same IP, it is a conventional IP-ID pattern analysis method to determine the IP as a router. Note that when the increasing IP-ID reaches the limit (65535 or 32767), it starts again at the initial value (0 or more constant value). In the conventional analysis method, a series of IP- It recognizes the ID flow as a new pattern. In order to solve this problem, a method for determining the presence or absence of a router based on the number of patterns overlapping at an intermediate time with respect to a pattern shaped for a predetermined time, that is, To eliminate the risk factors of false positives as described above.

In FIG. 3, 2a is a pattern that is excluded from the measurement object in a pattern outside the measurement start time range. The two actually measured patterns are the pattern 2b extracted from the packet generated by the detection device 1a and the packet generated by the detection device 1b And extracted pattern 2c. 3, it can be seen that different patterns 2b and 2c overlap and proceed at the same time. That is, the IP-ID analysis module 240 analyzes the IP-ID flow and obtains an IP-ID that forms two or more IP-ID increase patterns 2b and 2c at an arbitrary time (for example, (250, 503) are detected at the same time, the result is transmitted to the router determination module (250).

When the analysis result values obtained by the operation of each of the analysis modules 210, 220, 230 and 240 are transmitted to the router determination module 250, the router determination module 250 determines whether or not the IP router is used according to the flowchart shown in FIG. .

That is, the router determination module 250 determines whether two or more OSes exist in one IP (step S30), whether a decrease in the TTL value is detected (step S32), that two or more IP- (Step S34) is checked. If it is determined that two or more OSs exist in one IP, a decrease in the TTL value is detected, or two or more IP-ID increase patterns are simultaneously detected in one IP, it is determined to be an IP router (step S36) By outputting the result to the external device, the use of the unauthorized IP sharer can be normally detected.

As described above, the router detection engine 200 includes the passive fingerprinting analysis module 210, the TTL pattern analysis module 220, and the user-agent data analysis module 230 in addition to the IP-ID analysis module 240 In parallel configuration, if there is more than one PC of the same OS under the IP router, it can not be detected by passive fingerprinting method, but it can be detected by TTL reduction pattern, It is not possible to detect by the TTL reduction pattern. However, if there are two or more OSs with different OS or versions, it can be detected through user-agent data analysis, and the PC of the same version of the OS If more than one exists, this can be detected by analyzing the increase pattern of IP-ID. As a result, the present invention can provide four complementary methods It is possible to normally detect the use of various types of unauthorized IP sharers.

Although the embodiment of the present invention has been described with respect to the embodiment using four different techniques, the IP sharer may be detected through a combination of the embodiments.

For example, if the router detection engine 200 is configured using only the IP-ID analysis module 240 and the passive fingerprint analysis module 210, for example, there are two or more PCs installed with a Windows OS under the IP router In this case, it is possible to detect the IP router by the IP-ID increase pattern analysis. In another case, if there are two or more OSes other than the window OS, the IP router can detect the OS through the passive fingerprinting.

If the router detection engine 200 is configured using only the IP-ID analysis module 240 and the TTL pattern analysis module 220, for example, a PC having a Windows OS installed in an IP router having a property that the TTL value is not reduced If there are PCs other than Windows OS in the router where the pattern of decreasing the TTL value is present in another case, it can be detected by the IP router by decreasing the TTL. It will be possible.

Furthermore, if the router detection engine 200 is configured with only the IP-ID analysis module 240 and the user-agent data analysis module 230, for example, two or more PCs having the same Windows OS installed under the IP router exist If there are two or more Windows OSes that have two or more OSs or versions under IP sharer, it is possible to detect them by IP-ID increase pattern analysis. It can be detected as a router.

If the router detection engine 200 is configured with the IP-ID analysis module 240, the passive fingerprint analysis module 210, and the TTL pattern analysis module 220, for example, The IP sharing device can be detected by the passive fingerprinting analysis module 210. However, if there are two or more PCs having the Windows OS installed therein without the TTL reduction pattern, the IP-ID increase Pattern analysis allows IP sharer detection.

If the router detection engine 200 is configured with the IP-ID analysis module 240, the passive fingerprint analysis module 210, and the user-agent data analysis module 230, for example, If more than one Windows OS exists, it can not be detected by the passive fingerprinting analysis module 210. However, if there are two or more Windows OSes having different versions, it can be detected through user-agent analysis. The presence of more than one IP-ID increase pattern can be detected, and the three analysis modules can detect the IP sharing device in a complementary manner.

If the router detection engine 200 is configured with the IP-ID analysis module 240, the TTL pattern analysis module 220 and the user-agent data analysis module 230, the IP router having the property that the TTL value is not reduced When a PC is connected, it can not be detected by the TTL decrease pattern. However, when there are two or more Windows OSs having two or more different OS or version, it can be detected by the IP router through user-agent analysis, If there are two or more PCs in the OS, it can be detected through IP-ID increase pattern analysis.

As described above, according to the present invention, it is possible to normally detect the use of various unauthorized IP sharers through a combination of the analysis modules 210, 220, 230 and 240 employing four different techniques.

Accordingly, the present invention uses a router detection method using passive fingerprinting, a router detection method using TTL reduction, a router detection method using a user agent, and a Router detection method improving the existing IP-ID increase pattern, It is a useful system to minimize the possibility of false positives and to reduce the possibility of false positives of existing IP-ID pattern analysis technology.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the invention. Accordingly, the true scope of the present invention should be determined only by the appended claims.

Claims (8)

A packet collecting module for collecting packet data necessary for detecting an IP router among IP packets on Ethernet transmitted through a network;
One or more queue memories in which at least one of a packet in which a SYN flag of the TCP packet or an IP-ID information of user-agent information or IP header in HTTP data is collected and stored respectively by the packet collecting module;
An IP-ID analysis module for analyzing an increase pattern of the IP-ID information of the IP header which changes with time and analyzing whether two or more IP-ID increase patterns are simultaneously detected at an arbitrary time;
A router determining module that determines that the IP router is an IP router when two or more IP-ID increase patterns are simultaneously detected in one IP;
And a TTL pattern analysis module for comparing the TTL value in the packet in which the SYN flag is activated with the initial TTL value for each OS to extract OS information in use, Wherein the IP sharer determines the IP sharer through the information input from each of the ID analysis modules. The passive fingerprinting analysis module according to claim 1, further comprising: a passive fingerprinting analysis module for analyzing a packet in which the SYN flag is activated and extracting OS information being used by the source IP, ID analyzing module, and the TTL pattern analyzing module, and determines the IP sharer through the information input from each of the TTL pattern analyzing modules. delete The method of claim 2, further comprising: a user-agent data analysis module for analyzing the user-agent information and extracting OS information generated by the packet, wherein the router determination module includes a user- Wherein the IP sharer is determined based on information input from the module, the passive fingerprint analysis module, and the IP-ID analysis module. delete The method of claim 1, further comprising: a user-agent data analysis module for analyzing the user-agent information and extracting OS information on which the packet is generated, wherein the router determination module includes a user- Module and the IP-ID analysis module, the IP sharer is determined based on information input from each of the modules. delete delete

Images