KR101645868B1 - Method and device for rule generation for application awareness - Google Patents

Method and device for rule generation for application awareness Download PDF

Info

Publication number
KR101645868B1
KR101645868B1 KR1020150048874A KR20150048874A KR101645868B1 KR 101645868 B1 KR101645868 B1 KR 101645868B1 KR 1020150048874 A KR1020150048874 A KR 1020150048874A KR 20150048874 A KR20150048874 A KR 20150048874A KR 101645868 B1 KR101645868 B1 KR 101645868B1
Authority
KR
South Korea
Prior art keywords
packet
value
application
fixed value
protocol
Prior art date
Application number
KR1020150048874A
Other languages
Korean (ko)
Inventor
조재익
김태범
Original Assignee
주식회사 퓨쳐시스템
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 퓨쳐시스템 filed Critical 주식회사 퓨쳐시스템
Priority to KR1020150048874A priority Critical patent/KR101645868B1/en
Application granted granted Critical
Publication of KR101645868B1 publication Critical patent/KR101645868B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a roll generating method for application awareness and a roll generating apparatus for application awareness. The roll generating method for application awareness according to the present invention may include the steps of: determining a packet where an application generating a first packet is distinguished, in the first packet, as a second packet; determining a packet belonging to a protocol group where a protocol of the application is fixed, in the second packet, as a third packet; and generating a roll related with awareness of the application, by using the third packet. The roll generating method of the present invention can reduce false detection and un-detection as to the generated roll, by distinguishing all information as to all packets generated in the application.

Description

TECHNICAL FIELD [0001] The present invention relates to a rule generation method for application recognition and a rule generation method for application recognition.

The present invention relates to a rule generation method for application recognition and a rule generation apparatus for application recognition.

In recent years, the need for next-generation firewalls (next-generation firewalls) to meet the ever-changing threats has increased with the increasing demand. In particular, there is a continuing need to develop a technology capable of identifying an application as well as a basic firewall function and grasping and manipulating the operation of the application.

In order to identify the application and to understand and manipulate the operation, it is necessary to analyze the network packet generated during a specific operation and to generate an event when a desired packet is detected. However, there are a myriad of applications currently developed and applications to be developed in the future.

In order to identify such an enormous amount of applications, there is a problem in that it takes a considerable time to analyze network packets.

Therefore, it is necessary to develop a method and apparatus for automatically generating rules through signatures in order to recognize a large amount of applications. That is, there is a need for a rule generation method and apparatus capable of analyzing a basic packet flow for a specific operation for each protocol through a packet or a dump packet generated when an application is executed, and to produce a pattern.

Disclosure of Invention Technical Problem [8] The present invention has been made to solve the above problems, and it is an object of the present invention to reduce the number of false positives and detections of generated rules by identifying information on all packets generated in an application.

As a technical method for achieving the above object, a rule generation method for application recognition includes a step of determining, as a second packet, a packet in which an application generating the first packet is identified as a second packet, , Determining a packet belonging to a protocol group in which the protocol of the application belongs to a third packet, and generating a rule associated with recognition of the application using the third packet.

Further, a rule generation apparatus for application recognition for achieving the above object determines, among the first packets, a packet in which an application generating the first packet is identified as a second packet, and among the second packets, And a processor for determining a packet belonging to the protocol group having the protocol group as a third packet, wherein the processor can use the third packet to generate a rule associated with recognition of the application.

According to an embodiment of the present invention, by identifying information on all packets generated in the application, it is possible to reduce false positives and misses of generated rules.

In addition, according to an embodiment of the present invention, it is possible to automate packet classification and analysis for a plurality of applications, cope with the scalability of a rapidly generated application, generate rules based on application operations, Can be measured.

1 is a block diagram illustrating a rule generation apparatus for application recognition according to an embodiment of the present invention.
FIG. 2 is a workflow diagram specifically illustrating a rule generation method for application recognition according to an embodiment of the present invention.
3 is a diagram for explaining a process of determining a second packet according to an embodiment of the present invention.
4 is a diagram for explaining a process of extracting a fixed value and a packet variable value in a key-value manner according to an embodiment of the present invention.
5 is a diagram for explaining a process of extracting a fixed value and a packet variable value according to the byte sequence method according to an embodiment of the present invention.
FIG. 6 is a diagram for explaining a process of extracting a fixed value and a packet variable value according to a distance method according to an embodiment of the present invention.
7 is a diagram for explaining a rule generation process according to an embodiment of the present invention.
FIG. 8 is a diagram illustrating a json configuration group according to an embodiment of the present invention. Referring to FIG.
9 is a diagram showing a rule file generated by a rule generation apparatus according to an embodiment of the present invention.

Hereinafter, embodiments according to the present invention will be described in detail with reference to the accompanying drawings. However, the present invention is not limited to or limited by the embodiments. Like reference symbols in the drawings denote like elements.

A rule generation method for application recognition and a rule generation device for application recognition described in this specification can automate packet classification and analysis and identify information about all packets generated in an application.

1 is a block diagram illustrating a rule generation apparatus for application recognition according to an embodiment of the present invention.

A rule generating apparatus (hereinafter, referred to as 'rule generating apparatus') 100 for recognizing an application of the present invention may include a processor 110. In addition, according to the embodiment, the rule generating apparatus 100 can be configured by adding an interface unit 120. [

First, the processor 110 determines, among the first packets, a packet in which an application that generated the first packet is identified as a second packet, and, in the second packet, the protocol of the application belongs to a specified protocol group And determines the packet as the third packet. Here, the first packet may be at least one of TCP and UDP packets generated in the network, but is not limited thereto.

Also, the protocol group may be a file in which the protocol of the interested application set by the user is created. For example, the protocol group may be a file composed of at least one of protocols such as HTTP, BitTorrent, and RTMP.

That is, the processor 110 can determine a packet in which an application is identified for a first packet generated by an application as a second packet, and for the protocol of the application, Can be determined as the third packet.

In addition, the processor 110 uses the third packet to generate a rule associated with the recognition of the application. That is, the processor 110 may generate a rule related to recognizing the application in the determined third packet. Here, the rule is for systematically recognizing an application, and may be information including a signature embedded in an application. When analyzing an application in which a rule is generated, it is possible to recognize the signature in the inserted rule and to recognize the application, thereby improving the convenience in analyzing the application.

In addition, the processor 110 determines whether the fixed value extracted in the third packet is held in a predetermined setting group, and which is extracted from each of the third packet and the setting group corresponding to the fixed value, If the values do not match, a signature composed of the fixed value and the packet variable value is created, and a rule including at least the signature can be generated.

Here, the setting group is a configuration file set by the user, and the setting file may be a file storing information on the rule type created by the user. That is, the processor 110 may compare the fixed value and the set variable value in the setting group with the fixed value and the packet variable value in the third packet, respectively. At this time, the processor 110 can generate a rule when the fixed value is held in the setting group, and the packet variable value and the set variable value do not coincide with each other.

When the fixed value extracted in the third packet is not held in the predetermined setting group, the processor 110 further comprises a fixed value and a packet variable value extracted from the third packet in correspondence with the fixed value , And generate a rule including at least the signature. That is, if the fixed value in the third packet does not match the fixed value set in the setting group, the processor 110 can generate the rule with the fixed value and the packet variable value extracted in the third packet.

In addition, the processor 110 may update the setting group using the fixed value and the packet variable value. That is, when the fixed value extracted in the third packet is not held in the setting group, the processor 110 can update the setting group to the fixed value and the packet variable value extracted in the third packet.

In addition, the processor 110 determines whether the fixed value extracted in the third packet is held in a predetermined setting group, and which is extracted from each of the third packet and the setting group corresponding to the fixed value, If the values match, generation of the rule can be omitted. That is, in a state where the fixed value extracted from the third packet is maintained in the setting group, the processor 110 generates a rule when the packet variable value extracted in the third packet matches the setting variable value extracted from the setting group I can not.

In addition, the processor 110 recognizes a layer constituting the application through an application protocol classification, and if a protocol included in the layer matches a protocol registered in the protocol group, It can be determined as the third packet. For example, the processor 110 may recognize a layer constituting an application of OSI (Open System Interconnection) 7 layer and determine a third packet for an application matching a protocol registered in the protocol group.

Next, the interface unit 120 can collect the packets generated according to the execution of the application as the first packet. That is, the interface unit 120 may collect the first packet, and the first packet may be a packet generated as the application is executed.

At this time, the processor 110 searches the network information table for a process identifier corresponding to the packet information about the collected packet. If the program name designated by the process identifier is identified in the PID (Process ID) information table, And may determine the collected packet as the second packet. That is, the processor 110 can identify the process identifier from the first packet and retrieve the process identifier from the network information table. At this time, the processor 110 may check the PID information corresponding to the process identifier, and may determine the collected packet as the second packet if there is information matching the PID in the PID information table.

A more detailed description of the process of determining the second packet will be described with reference to FIG.

According to the rule generation apparatus 100 for application recognition of the present invention, information on all packets generated in the application can be identified, thereby reducing false positives and false positives for generated rules.

In addition, it is possible to automate packet classification and analysis for a plurality of applications, cope with extensibility of a rapidly generated application, and generate a rule based on an application operation, whereby importance can be measured for each operation.

FIG. 2 is a workflow diagram specifically illustrating a rule generation method for application recognition according to an embodiment of the present invention.

First, a rule generation method for application recognition according to the present embodiment may be performed by the rule generation apparatus 100 described above.

First, the rule generating apparatus 100 determines a packet in which an application that generated the first packet is identified as a second packet, among the first packets (210). Here, the first packet may be at least one of TCP and UDP packets generated in the network, but is not limited thereto.

At this time, the rule generating apparatus 100 may collect packets generated as the application is executed as the first packet. That is, the rule generating apparatus 100 may collect the first packet, which may be a packet generated as the application is executed.

In this case, the step 210 searches the network information table for a process identifier corresponding to the packet information about the collected packet, identifies the program name designated by the process identifier in the PID information table, It is possible to determine the collected packet as the second packet. That is, the rule generating apparatus 100 can check the process identifier from the first packet and retrieve the process identifier from the network information table. At this time, the rule generating device 100 can check the PID information corresponding to the process identifier and determine the collected packet as the second packet if there is information matching the corresponding PID in the PID information table.

3 is a diagram for explaining a process of determining a second packet according to an embodiment of the present invention.

The rule generation apparatus 100 may collect PID information and network information that are being executed in the host while collecting the first packet. The rule generating apparatus 100 can determine from the collected packets a packet generated by using the first packet information, the PID information, and the network information is a packet generated in a host process, and can determine the packet as a second packet.

For example, it may be a process as shown in FIG. First, the rule generation apparatus 100 can identify the port of the root address, the port of the destination address, and the protocol through the IP layer as a process identifier (step 1). Next, the rule generating apparatus 100 can compare the port of the root address, the port of the destination address, and the protocol with the network information table. As a result of comparison, if there is information having the same process identifier, the rule generating apparatus 100 can retrieve the PID information from the corresponding process identifier (step 2). Next, the rule generation device 100 searches the PID information retrieved in step 2 from the PID information table indicating the entire PID information, and identifies the program name matched with the PID information (step 3) . The rule generating apparatus 100 can recognize that the program having the program name has been generated according to the execution of an application for the identified packet and can determine the collected packet as the second packet.

Referring again to FIG. 2, the rule generating apparatus 100 determines a packet belonging to a protocol group in which the protocol of the application belongs, among the second packets, as a third packet (220). Here, the protocol group may be a file in which a protocol of the interested application set by the user is created. For example, the protocol group may be a file composed of at least one of protocols such as HTTP, BitTorrent, and RTMP.

That is, the rule generation apparatus 100 can determine a packet in which an application is identified with respect to a first packet generated from an application as a second packet, and, in the second packet, Can be determined as the third packet.

In addition, step 220 recognizes a layer constituting the application through an application protocol classification (APP Protocol Classification), and if the protocol included in the layer coincides with a protocol registered in the protocol group, And determining the associated packet as the third packet. For example, the rule generating apparatus 100 recognizes a layer constituting an application of OSI (Open System Interconnection) 7 layers, and can determine a third packet for an application that matches a protocol registered in the protocol group.

Next, the rule generating apparatus 100 generates a rule associated with the recognition of the application using the third packet (230). That is, the step 230 may be a process of generating a rule relating to recognizing the application with the determined third packet. Here, the rule is for systematically recognizing an application, and may be information including a signature embedded in an application. When analyzing an application in which a rule is generated, it is possible to recognize the signature in the inserted rule and to recognize the application, thereby improving the convenience in analyzing the application.

According to an embodiment, the rule generation apparatus 100 determines whether the fixed value extracted in the third packet is maintained in a predetermined setting group, and if it is determined that the fixed value is maintained, The packet variable value and the setting variable value extracted from each of the setting groups can be compared. If the comparison result does not match, step 230 may be a step of creating a signature composed of the fixed value and the packet variable value. In addition, step 230 may be a process of generating a rule including at least the signature.

Here, the setting group is a configuration file set by the user, and the setting file may be a file storing information on the rule type created by the user. That is, the rule generating apparatus 100 can compare the fixed value and the set variable value in the setting group with the fixed value and the packet variable value in the third packet, respectively. At this time, the rule generating apparatus 100 can generate a rule when the fixed value is held in the setting group, and the packet variable value and the set variable value do not coincide with each other.

According to the embodiment, the rule generation apparatus 100 can determine whether the fixed value extracted in the third packet is maintained in a predetermined setting group. If it is determined not to be maintained, step 230 may be a process of creating a signature comprising the fixed value and a packet variable value corresponding to the fixed value and extracted from the third packet. Additionally, step 230 may generate a rule that includes at least the signature. That is, when the fixed value in the third packet does not coincide with the fixed value set in the setting group, the rule generating apparatus 100 can generate the rule with the fixed value and the packet variable value extracted in the third packet.

According to the embodiment, the rule generation apparatus 100 can determine whether the fixed value extracted in the third packet is maintained in a predetermined setting group. If not, the rule generation apparatus 100 can update the setting group using the fixed value and the packet variable value corresponding to the fixed value and extracted from the third packet. That is, when the fixed value extracted in the third packet is not held in the setting group, the rule generating apparatus 100 can update the setting group to a fixed value and a packet variable value extracted in the third packet.

According to the embodiment, the rule generating apparatus 100 compares the packet variable value and the set variable value, which are extracted from each of the third packet and the setting group, corresponding to the fixed value extracted in the third packet, If the results match, generation of the rule can be omitted. That is, when the packet variable value extracted in the third packet and the set variable value extracted from the setting group are identical with each other in a state where the fixed value extracted in the third packet is maintained in the setting group, May not be generated.

According to the embodiment, the rule generation apparatus 100 may generate the rule-based rule from the third packet in at least one of a key-value scheme, a byte sequence scheme, and a distance scheme, And a packet variable value can be extracted. In other words, the rule generation apparatus 100 can extract a fixed value and a packet variable value using an application protocol structure, and can extract at least one of a key-value scheme, a byte sequence scheme, and a distance scheme. The process of extracting the fixed value and the packet variable value using the key-value method, the byte sequence method, and the distance method will be described with reference to FIG. 4 to FIG.

4 is a diagram for explaining a process of extracting a fixed value and a packet variable value in a key-value manner according to an embodiment of the present invention.

If the third packet is a key-value structure, the rule-generating apparatus 100 distinguishes a key from a value in the third packet by a delimiter, Extracts the value as a fixed value, and extracts the value as the packet variable value. That is, the rule generating apparatus 100 can distinguish keys and values using a key-value delimiter for distinguishing keys and values. Also, if there are multiple keys and values, the key and value can be distinguished through a frame delimiter. At this time, the key may be a fixed value, and the value may be a packet variable value.

5 is a diagram for explaining a process of extracting a fixed value and a packet variable value according to the byte sequence method according to an embodiment of the present invention.

If the third packet is a byte sequence structure, the rule generation apparatus 100 may extract the ordinal number in the byte sequence structure as the fixed value and extract the value as the packet variable value. Here, the byte sequence structure is a structure having a fixed order and a value, and may be a structure for performing communication by sequentially specifying a specific size, a specific value, and the like. The rule generating apparatus 100 can extract the ordinal number in the byte sequence structure as a fixed value and the value as a packet variable value.

FIG. 6 is a diagram for explaining a process of extracting a fixed value and a packet variable value according to a distance method according to an embodiment of the present invention.

When the third packet is a distance structure, the rule generation apparatus 100 may extract the reference key as the fixed value and extract the value separated by the distance from the reference key as the packet variable value. Here, the distance structure may be composed of values of positions shifted by distance based on the reference key and the reference key. In other words, the rule generating apparatus 100 can extract the reference key as a fixed value and extract the value at a position distant from the reference key as a packet variable value.

7 is a diagram for explaining a rule generation process according to an embodiment of the present invention.

The rule generation process for application recognition through the rule generation apparatus 100 can be broadly classified into a preprocess, a middle process, and a post process.

First, preprocessing may be a process of determining which application generated a packet by a rule. If it is determined by an application that a packet collected in the preprocessing process is generated, the rule generating apparatus 100 may pass the packet to the intermediate processing, and otherwise terminate the packet. At this time, the rule generation apparatus 100 may consider only TCP or UDP packets (hereinafter referred to as F1 packets) among the packets generated in the network. When the F1 packet is collected, the rule generation device 100 can collect the PID information and the network information of the host. The rule generation apparatus 100 can use the collected F1 packet information, PID information, and network information to find out which packet the collected packet is generated by a host process.

Next, the intermediate process may be a process of distinguishing whether the OSI 7 layer includes an application protocol interested in the application layer in the F2 packet. The rule generating apparatus 100 may pass the packet to the post-process, if not, if it is identified as a packet of interest, and otherwise terminate. That is, if the application protocol of the F2 packet obtained by the application protocol classification process is included in the application protocol of interest to the user in the protocol group (Configuration 1), the rule generation apparatus 100 may pass the packet to the process have. At this time, the protocol group may be a file in which the application protocol name of interest is written.

Next, the post-process may be a process of generating a rule by extracting a fixed value and a packet variable value from the application layer of the F3 packet on the structure of the application protocol. At this time, if the desired value can not be extracted, the rule generating apparatus 100 may store the structure information of the corresponding file for generating additional analysis or additional rules, and may generate a rule for the content. When the F3 packet is collected, the rule generation apparatus 100 can extract a fixed value and a packet variable value using an application protocol structure known in the middle processing. At this time, as a method of extracting the fixed value and the packet variable value, the rule generating apparatus 100 can use at least one of a key-value method, a byte sequence method, and a distance method.

The rule generating apparatus 100 may compare the extracted fixed value and the packet variable value with a configuration group (configuration 2) set by the user.

FIG. 8 is a diagram illustrating a json configuration group according to an embodiment of the present invention. Referring to FIG.

The setting group can be filled with information by the user, and the content of what kind of rule is to be generated can be specified. If the F3 packet has a structure specified in the setting group, the packet variable value can be extracted based on the fixed value. At this time, if the packet variable value extracted from the F3 packet is a new value, the rule generation apparatus 100 can perform a rule generation process. If the packet variable value is an existing value, the rule generating apparatus 100 can terminate. If the collected F3 packet is not the structure specified in the setting group, the fixed value and the packet variable value are extracted from the F3 packet using the application structure obtained in the intermediate processing, the setting group is updated to the corresponding value, Can be generated.

9 is a diagram showing a rule file generated by a rule generation apparatus according to an embodiment of the present invention.

As shown in FIG. 9, the rule generation apparatus 100 can generate a rule by performing a rule generation process based on a setting group. At this time, the rule generating apparatus 100 can generate a rule according to the snort rule specification.

According to the rule generation method for application recognition of the present invention, by identifying information on all packets generated in the application, it is possible to reduce false positives and misses to the generated rules.

In addition, it is possible to automate packet classification and analysis for a plurality of applications, cope with extensibility of a rapidly generated application, and generate a rule based on an application operation, whereby importance can be measured for each operation.

The method according to an embodiment of the present invention may be implemented in the form of a program command that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions to be recorded on the medium may be those specially designed and configured for the embodiments or may be available to those skilled in the art of computer software. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Magneto-optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments. For example, it is to be understood that the techniques described may be performed in a different order than the described methods, and / or that components of the described systems, structures, devices, circuits, Lt; / RTI > or equivalents, even if it is replaced or replaced.

Therefore, other implementations, other embodiments, and equivalents to the claims are also within the scope of the following claims.

100: a rule generation device for application recognition
110: Processor
120:

Claims (18)

Determining, as a second packet, a packet in which an application generating the first packet is identified, out of the first packets;
Determining, among the second packets, a packet belonging to a protocol group in which the protocol of the application is determined as a third packet;
If the third packet is a key-value structure, a key is separated from the third packet by a delimiter by a fixed value, and a value is divided into a packet variable value Extracting;
Determining whether the fixed value is maintained in a predetermined setting group;
Comparing the packet variable value with a setting variable value extracted from the setting group; And
As a result of the comparison, if they do not match,
Generating a rule associated with the recognition of the application, the rule including at least a signature formed by the fixed value and the packet variable value;
The method comprising the steps of: Determining, as a second packet, a packet in which an application generating the first packet is identified, out of the first packets;
Determining, among the second packets, a packet belonging to a protocol group in which the protocol of the application is determined as a third packet;
If the third packet is a key-value structure, extracting a key from the third packet by dividing the key by a fixed value, dividing the value into packet variable values, and extracting the packet;
Determining whether the fixed value is maintained in a predetermined setting group; And
If not,
Generating a rule associated with the recognition of the application, the rule including at least the signature generated by constructing the fixed value and the packet variable value
The method comprising the steps of: Determining, as a second packet, a packet in which an application generating the first packet is identified, out of the first packets;
Determining, among the second packets, a packet belonging to a protocol group in which the protocol of the application is determined as a third packet;
Using the third packet, generating a rule associated with recognition of the application;
If the third packet is a key-value structure, extracting a key from the third packet by dividing the key by a fixed value, dividing the value into packet variable values, and extracting the packet;
Determining whether the fixed value is maintained in a predetermined setting group; And
If it is determined that the packet is not maintained, updating the setting group using the fixed value and the packet variable value
The method comprising the steps of: Determining, as a second packet, a packet in which an application generating the first packet is identified, out of the first packets;
Determining, among the second packets, a packet belonging to a protocol group in which the protocol of the application is determined as a third packet;
Using the third packet, generating a rule associated with recognition of the application;
If the third packet is a key-value structure, extracting a key from the third packet by dividing the key by a fixed value, dividing the value into packet variable values, and extracting the packet;
Determining whether the fixed value is maintained in a predetermined setting group;
Comparing the packet variable value with a setting variable value extracted from the setting group; And
If the result of the comparison is that there is a match, a step of omitting the generation of the rule
The method comprising the steps of: Determining, as a second packet, a packet in which an application generating the first packet is identified, out of the first packets;
Determining, among the second packets, a packet belonging to a protocol group in which the protocol of the application is determined as a third packet;
Extracting an ordinal number in the byte sequence structure as a fixed value from the third packet and extracting a value as a packet variable value when the third packet is a byte sequence structure
Determining whether the fixed value is maintained in a predetermined setting group;
Comparing the packet variable value with a setting variable value extracted from the setting group; And
As a result of the comparison, if they do not match,
Generating a rule associated with the recognition of the application, the rule including at least a signature formed by the fixed value and the packet variable value;
The method comprising the steps of: Determining, as a second packet, a packet in which an application generating the first packet is identified, out of the first packets;
Determining, among the second packets, a packet belonging to a protocol group in which the protocol of the application is determined as a third packet;
Extracting an ordinal number in the byte sequence structure as a fixed value from the third packet and extracting a value as a packet variable value when the third packet is a byte sequence structure
Determining whether the fixed value is maintained in a predetermined setting group; And
If not,
Generating a rule associated with the recognition of the application, the rule including at least the signature generated by constructing the fixed value and the packet variable value
The method comprising the steps of: Determining, as a second packet, a packet in which an application generating the first packet is identified, out of the first packets;
Determining, among the second packets, a packet belonging to a protocol group in which the protocol of the application is determined as a third packet;
Using the third packet, generating a rule associated with recognition of the application;
If the third packet is a byte sequence structure, extracting the ordinal number in the byte sequence structure as a fixed value from the third packet and extracting the value as a packet variable value;
Determining whether the fixed value is maintained in a predetermined setting group; And
If it is determined that the packet is not maintained, updating the setting group using the fixed value and the packet variable value
The method comprising the steps of: Determining, as a second packet, a packet in which an application generating the first packet is identified, out of the first packets;
Determining, among the second packets, a packet belonging to a protocol group in which the protocol of the application is determined as a third packet;
Using the third packet, generating a rule associated with recognition of the application;
If the third packet is a byte sequence structure, extracting the ordinal number in the byte sequence structure as a fixed value from the third packet and extracting the value as a packet variable value;
Determining whether the fixed value is maintained in a predetermined setting group;
Comparing the packet variable value with a setting variable value extracted from the setting group; And
If the result of the comparison is that there is a match, a step of omitting the generation of the rule
The method comprising the steps of: 9. The method according to any one of claims 1 to 8,
Extracting the fixed value and the packet variable value from the third packet in a distance manner
Further comprising the steps of: 10. The method of claim 9,
If the third packet is a distance structure,
Extracting the reference key as the fixed value; And
Extracting a value that is spaced apart from the reference key by the distance as the packet variable value
Further comprising the steps of: 9. The method according to any one of claims 1 to 8,
Collecting, as the first packet, a packet generated according to execution of the application
Further comprising:
The step of determining as the second packet comprises:
Searching a network information table for a process identifier corresponding to the packet information about the collected packet;
Identifying a program name designated by the process identifier in a PID information table; And
Determining the collected packet as the second packet if the program name is identified;
Lt; / RTI > 9. The method according to any one of claims 1 to 8,
Wherein the determining of the third packet comprises:
Recognizing a layer constituting the application through APP Protocol Classification; And
Determining a packet associated with the application as the third packet if the protocol included in the layer matches a protocol registered in the protocol group
Lt; / RTI > A packet in which an application that has generated the first packet is identified as a second packet among the first packets,
A packet belonging to a protocol group in which the protocol of the application belongs to the second packet is determined as the third packet,
If the third packet is a key-value structure, the delimiter extracts the key from the third packet by dividing it into a fixed value, separates the value into packet variable values,
Determines whether the fixed value is maintained in a predetermined setting group,
Comparing the packet variable value with a setting variable value extracted from the setting group,
Generating a rule associated with the recognition of the application, the signature including at least a signature that is composed of the fixed value and the packet variable value,
A rule generation unit configured to generate a rule generation rule; A packet in which an application that has generated the first packet is identified as a second packet among the first packets,
A packet belonging to a protocol group in which the protocol of the application belongs to the second packet is determined as the third packet,
If the third packet is a key-value structure, the delimiter extracts the key from the third packet by dividing it into a fixed value, separates the value into packet variable values,
Determines whether the fixed value is maintained in a predetermined setting group,
And generating the rule associated with the recognition of the application, if it is determined that the fixed value and the variable value of the packet are not maintained,
. A packet in which an application that has generated the first packet is identified as a second packet among the first packets,
A packet belonging to a protocol group in which the protocol of the application belongs to the second packet is determined as the third packet,
Generate a rule associated with the recognition of the application using the third packet,
If the third packet is a key-value structure, the delimiter extracts the key from the third packet by dividing the key into a fixed value, separates the value into packet variable values,
Determines whether the fixed value is maintained in a predetermined setting group,
If it is determined that the packet is not to be maintained, the processor updates the setting group using the fixed value and the packet variable value
. A packet in which an application that has generated the first packet is identified as a second packet among the first packets,
A packet belonging to a protocol group in which the protocol of the application belongs to the second packet is determined as the third packet,
Extracting a value as a packet variable value from the third packet if the third packet is a byte sequence structure, extracting the ordinal number in the byte sequence structure as a fixed value,
Determines whether the fixed value is maintained in a predetermined setting group,
Comparing the packet variable value with a setting variable value extracted from the setting group,
Generating a rule associated with the recognition of the application, the signature including at least a signature that is composed of the fixed value and the packet variable value,
. A packet in which an application that has generated the first packet is identified as a second packet among the first packets,
A packet belonging to a protocol group in which the protocol of the application belongs to the second packet is determined as the third packet,
Extracting a value as a packet variable value from the third packet if the third packet is a byte sequence structure, extracting the ordinal number in the byte sequence structure as a fixed value,
Determines whether the fixed value is maintained in a predetermined setting group,
And generating the rule associated with the recognition of the application, if it is determined that the fixed value and the variable value of the packet are not maintained,
. A packet in which an application that has generated the first packet is identified as a second packet among the first packets,
A packet belonging to a protocol group in which the protocol of the application belongs to the second packet is determined as the third packet,
Generate a rule associated with the recognition of the application using the third packet,
If the third packet is a byte sequence structure, extracts the ordinal number in the byte sequence structure as a fixed value from the third packet, extracts the value as a packet variable value,
Determines whether the fixed value is maintained in a predetermined setting group,
If it is determined that the packet is not to be maintained, the processor updates the setting group using the fixed value and the packet variable value
.
KR1020150048874A 2015-04-07 2015-04-07 Method and device for rule generation for application awareness KR101645868B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150048874A KR101645868B1 (en) 2015-04-07 2015-04-07 Method and device for rule generation for application awareness

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150048874A KR101645868B1 (en) 2015-04-07 2015-04-07 Method and device for rule generation for application awareness

Publications (1)

Publication Number Publication Date
KR101645868B1 true KR101645868B1 (en) 2016-08-04

Family

ID=56709611

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150048874A KR101645868B1 (en) 2015-04-07 2015-04-07 Method and device for rule generation for application awareness

Country Status (1)

Country Link
KR (1) KR101645868B1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120070016A (en) * 2010-12-21 2012-06-29 한국인터넷진흥원 Using string comparison malicious code detection and classification system and method
KR101388053B1 (en) * 2012-09-17 2014-04-22 주식회사 인프라웨어테크놀러지 Method of enhancing security based on permission detection for android applications, and computer-readable recording medium with android security program based on permission detection for the same

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120070016A (en) * 2010-12-21 2012-06-29 한국인터넷진흥원 Using string comparison malicious code detection and classification system and method
KR101388053B1 (en) * 2012-09-17 2014-04-22 주식회사 인프라웨어테크놀러지 Method of enhancing security based on permission detection for android applications, and computer-readable recording medium with android security program based on permission detection for the same

Similar Documents

Publication Publication Date Title
Meidan et al. ProfilIoT: A machine learning approach for IoT device identification based on network traffic analysis
CN111565205B (en) Network attack identification method and device, computer equipment and storage medium
CN109063745B (en) Network equipment type identification method and system based on decision tree
Sahu et al. Network intrusion detection system using J48 Decision Tree
CN112738015B (en) Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
JP6348656B2 (en) Malware-infected terminal detection device, malware-infected terminal detection system, malware-infected terminal detection method, and malware-infected terminal detection program
CN107360145B (en) Multi-node honeypot system and data analysis method thereof
CN109587156B (en) Method, system, medium, and apparatus for identifying and blocking abnormal network access connection
US20170034195A1 (en) Apparatus and method for detecting abnormal connection behavior based on analysis of network data
KR20170060280A (en) Apparatus and method for automatically generating rules for malware detection
CN104426906A (en) Identifying malicious devices within a computer network
CN106485146B (en) A kind of information processing method and server
KR20210092464A (en) Apparatus and method for analyzing network traffic using artificial intelligence
EP3242240B1 (en) Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method and malicious communication pattern extraction program
CN112804123A (en) Network protocol identification method and system for scheduling data network
JP6181884B2 (en) Malware-infected terminal detection device, malware-infected terminal detection method, and malware-infected terminal detection program
Zhang et al. Detection of android malware based on deep forest and feature enhancement
EP3732844A1 (en) Intelligent defense and filtration platform for network traffic
CN113328985A (en) Passive Internet of things equipment identification method, system, medium and equipment
CN114972827A (en) Asset identification method, device, equipment and computer readable storage medium
CN110750788A (en) Virus file detection method based on high-interaction honeypot technology
CN113923003A (en) Attacker portrait generation method, system, equipment and medium
CN116915450A (en) Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction
CN109660656A (en) A kind of intelligent terminal method for identifying application program
US10445746B2 (en) Method for checking compliance of payment application in virtualized environment

Legal Events

Date Code Title Description
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20190515

Year of fee payment: 4