KR101769442B1 - Method, system and computer-readable recording medium for security operation using internet of thing gateway - Google Patents

Method, system and computer-readable recording medium for security operation using internet of thing gateway Download PDF

Info

Publication number
KR101769442B1
KR101769442B1 KR1020150143542A KR20150143542A KR101769442B1 KR 101769442 B1 KR101769442 B1 KR 101769442B1 KR 1020150143542 A KR1020150143542 A KR 1020150143542A KR 20150143542 A KR20150143542 A KR 20150143542A KR 101769442 B1 KR101769442 B1 KR 101769442B1
Authority
KR
South Korea
Prior art keywords
iot
security
policy
gateway
unit
Prior art date
Application number
KR1020150143542A
Other languages
Korean (ko)
Other versions
KR20170043895A (en
Inventor
박기담
Original Assignee
주식회사 윈스
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 윈스 filed Critical 주식회사 윈스
Priority to KR1020150143542A priority Critical patent/KR101769442B1/en
Publication of KR20170043895A publication Critical patent/KR20170043895A/en
Application granted granted Critical
Publication of KR101769442B1 publication Critical patent/KR101769442B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

According to an embodiment of the present invention, there is provided a security control system using an Internet of Things (IoT) gateway, comprising: a collecting unit collecting an IoT security log from an IoT gateway connected to one or more IoT terminals; An analyzer for monitoring and analyzing the IoT security log to confirm an abnormal symptom; An interworking unit for obtaining service information related to security through interworking with an IoT management server managing the IoT terminal and determining interworking with one or more external interworking terminals in response to the abnormal symptom; A state action unit for performing a measure capable of solving the abnormal symptom or notifying the abnormal symptom to at least one external device; A security control system is provided that includes a policy department that determines and reflects policy enforcement after action.

Description

METHOD, SYSTEM AND COMPUTER READABLE RECORDING MEDIUM FOR SECURITY OPERATION USING INTERNET OF THING GATEWAY,

The present invention relates to a security control method and system using an object Internet gateway. More particularly, the present invention relates to a security management method and system using object Internet terminals to receive and analyze a security log using a gateway connected to object Internet terminals, The security control system can take measures such as the following.

The Internet of Thing (IoT) is a technology that allows devices in daily life to connect to networks and share information. Products and services under the IoT environment are constantly evolving. However, the development of a security control system related to the use of IoT is not yet active.

The IoT system is characterized in that the IoT management server controls the IoT terminals through a communication network such as the Internet, and a firewall exists between the IoT terminals in the IoT system and the IoT management server. However, in the existing IoT system, the firewall is configured as a security device for protecting the server.

More specifically, existing security methods collect events or status information of network devices (firewall, IPS, IDS, WAF, etc.), analyze them, recognize the situation through alarms, We have taken countermeasures by changing the policy of the device or updating the network security device.

However, the network security equipment connected to the IoT management servers has a disadvantage in that it can not protect the IoT terminal such as the smart TV and the smart refrigerator, while it is specialized in protecting the management server, that is, the assets inside the company. That is, each IoT terminal provides only the information for providing IoT service to the IoT management server, but does not receive any security management, and the IoT management server does not have a specialized security officer so that it can not effectively cope with security threats There are disadvantages.

An object of the present invention is to provide a security control system capable of monitoring a security threat generated to an IoT terminal by analyzing traffic flowing between an IoT terminal and an IoT gateway and protecting an IoT terminal and an IoT management system. It is another object of the present invention to protect an asset (IoT terminal or IoT management system) from a security threat under the IoT environment.

According to an embodiment of the present invention, there is provided a security control system using an Internet of Things (IoT) gateway, comprising: a collecting unit collecting an IoT security log from an IoT gateway connected to one or more IoT terminals; An analyzer for monitoring and analyzing the IoT security log to confirm an abnormal symptom; An interworking unit for obtaining service information related to security through interworking with an IoT management server managing the IoT terminal and determining interworking with one or more external interworking terminals in response to the abnormal symptom; A state action unit for performing a measure capable of solving the abnormal symptom or notifying the abnormal symptom to at least one external device; A security control system is provided that includes a policy department that determines and reflects policy enforcement after action.

In the present invention, the analysis unit analyzes the IoT security log by one or more methods of correlation analysis, association analysis, and statistical analysis.

In the present invention, the analysis unit analyzes the IoT security log by analyzing whether one of the correlation analysis, association analysis or statistical analysis of the IoT security log violates the threshold value.

In the present invention, the policy unit fetches software for one or more IoT terminals in which the abnormal symptom is detected.

In the present invention, the analyzer monitors a security log including at least one of an IoT gateway resource, an IoT device resource, and an IoT gateway security log.

In the present invention, the external interworking terminal includes a user terminal capable of executing remote CCTV or SMS and applications.

In the present invention, the security related service information includes IoT terminal management information or IoT service request customer information.

In the present invention, the policy reflected by the policy unit is an IoT gateway general policy or an IoT gateway security policy.

In the present invention, notifying the abnormality symptom to one or more external devices notifies the abnormality indications to the security company terminal or the customer terminal.

In the present invention, the situation measure section further performs an action by remote control.

According to another embodiment of the present invention, there is provided a security management method using an Internet of Things (IoT) gateway, comprising: a collection step of collecting a staged IoT security log to an IoT gateway connected to one or more IoT terminals; An analysis step of monitoring and analyzing the IoT security log and confirming an abnormal symptom; Acquiring service information related to security through interworking with an IoT management server managing the IoT terminal and determining interworking with one or more external interworking terminals in response to the abnormal symptom; Performing a measure capable of solving the abnormal symptom, or notifying the abnormal symptom to one or more external devices; It includes policy steps that determine and reflect the steps of policy reflection after situation action.

In the present invention, the analyzing step analyzes the IoT security log by at least one of correlation analysis, association analysis, and statistical analysis.

In the present invention, the analyzing step analyzes the IoT security log by analyzing a step in which one of the correlation analysis, association analysis, and statistical analysis of the IoT security log violates the threshold value.

In the present invention, the policy step patches the software for one or more IoT terminals for which the anomaly is detected.

In the present invention, the analyzing step monitors a security log including at least one of an IoT gateway resource, an IoT device resource, and an IoT gateway security log.

In the present invention, the external interworking terminal includes a user terminal capable of executing remote CCTV or SMS and applications.

In the present invention, the security related service information includes IoT terminal management information or IoT service request customer information.

In the present invention, the policy reflected by the policy step is an IoT gateway general policy or an IoT gateway security policy.

In the present invention, notifying the abnormality symptom to one or more external devices notifies the abnormality indications to the security company terminal or the customer terminal.

In the present invention, the status action step further performs an action by remote control.

In addition to this, another method for implementing the present invention, another system, and a computer-readable recording medium for recording a computer program for executing the method are further provided.

According to the present invention, a surveillance system capable of protecting assets from surging IoT terminals and security threats under an environment can be provided.

Further, according to the present invention, the security of the multi-IoT gateway managing the multi-IoT terminal can be controlled.

In addition, according to the present invention, it is possible to perform an automatic action upon detection of an abnormal symptom, or a notification can be made to a specialist.

1 is a diagram illustrating a relationship between a security control system and peripheral structures according to an exemplary embodiment of the present invention.
2 is a block diagram illustrating an internal configuration of a security control system according to an embodiment of the present invention.
FIG. 3 is a flowchart illustrating an operation method of a security control system according to an exemplary embodiment of the present invention. Referring to FIG.
4 is a diagram schematically showing an existing IoT system.

The following detailed description of the invention refers to the accompanying drawings, which illustrate, by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It should be understood that the various embodiments of the present invention are different, but need not be mutually exclusive. For example, the specific shapes, structures, and characteristics described herein may be implemented by changing from one embodiment to another without departing from the spirit and scope of the invention. It should also be understood that the location or arrangement of individual components within each embodiment may be varied without departing from the spirit and scope of the present invention. Therefore, the following detailed description is not to be taken in a limiting sense, and the scope of the present invention should be construed as encompassing the scope of the appended claims and all equivalents thereof. In the drawings, like reference numbers designate the same or similar components throughout the several views.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings in order to facilitate a person skilled in the art to which the present invention pertains.

FIG. 1 is a diagram illustrating a relationship between a security control system 100 and peripheral structures according to an exemplary embodiment of the present invention. Referring to FIG.

The present invention relates to a security control system (100) utilizing an Internet of Things (IOT) gateway. Referring to FIG. 1, the security management system 100 according to an exemplary embodiment of the present invention may communicate with the IoT gateway 200 and the IoT management server 300. Also, the IoT gateways 200 are connected to one or more IoT terminals 201. The IoT gateway 200 may be connected to the IoT management server 300 through the communication network 500. A backbone router, a firewall and a backbone switch may be included between the IoT gateway 200 and the IoT management server 300 There is a network device 400 that is connected to the network.

Fig. 4, compared with Fig. 1, shows the existing IoT environment. 4, in an existing environment, the IoT system includes an IoT management server 2, a network device 3 for protecting the IoT management server, a communication network for connecting the IoT management server and the IoT terminals 1 4).

In the conventional environment as shown in FIG. 4, the network device 3 including the firewall exists to protect the IOT management server 2, and the firewall only protects and manages the internal assets by the network security control. On the other hand, the IoT terminals 1 are structured to be exposed to security threats.

Even if the IoT terminals 1 have a built-in security solution for each individual device, it is not only costly to check all of the IoT terminals 1 when the system is increased, but also troublesome Can be treated as a process.

1, the security control system 100 according to the embodiment of the present invention utilizes the IoT gateway 200 to improve the security level of the IoT terminal 201 and not to add a separate process .

1 again, the present invention can be implemented not only by providing communication between the IoT management server 300 and the IoT terminals 201 but also by using the IoT gateway 200 connected to the IoT terminals 201, And provides the security control system 100 capable of protecting the terminals 201. [

In more detail, the security management system 100 of the present invention can receive various IoT security logs through the IoT gateway 200 and inquire or set the IoT gateway 200 security policy. In this regard, one IoT security control system 100 can manage a plurality of IoT gateways 200, and one IoT gateway 200 can manage a plurality of IoT terminals 201.

In addition, the IOT security control system 100 can inquire, store, and utilize service information related to security, more specifically, service information required for security through interlocking with the IoT management server 300. Also, the security control system 100 can detect abnormal symptoms by correlation analysis, association analysis and statistical analysis on the basis of the information collected from the services required for security acquired through the interworking with the IoT management server 300. In addition, the security control system 100 may take appropriate measures in case of a security threat, and may change the security policy if necessary. The specific operation of the security control system 100 will be described later.

The IoT gateway 200 is a gateway device connected to the IoT terminal 201. The IoT gateway 200 may serve as an intermediate node so that the IoT terminals 201 can connect to the communication network 500. In the present invention, the IoT gateway 200 transmits and monitors the IoT security log so that the security control system 100 can perform security control on the IoT terminal 201. The IoT terminals 201 correspond to all the electronic devices to which the IoT technology can be applied. For example, there are a smart TV, an IoT refrigerator, and the like.

The IoT management server 300 is a server for controlling the IoT terminal 201 to provide an IoT service. The IoT management server 300 may be a computing device belonging to the IoT management system. The IoT management server 300 may store service information related to the IoT, and the service information may include all information about the IoT terminal and related services such as IoT terminal management information and IoT service request customer information. The network device 400 protects the IoT management server 300 from the communication network 500.

The communication network 500 connects a plurality of IoT terminals 201 and the IoT gateway 200 to the IoT management server 300. That is, the communication network 500 refers to a communication network that provides connection paths so that the IoT terminals 201 and the IoT gateway 200 can access the IoT management server 300 to transmit and receive packet data. That is, the communication network 500 according to an exemplary embodiment of the present invention may be configured without regard to communication modes such as wired communication and wireless communication, and may be a LAN (Local Area Network), a Metropolitan Area Network ), A wide area network (WAN), and the like. Preferably, the communication network 500 as referred to herein may be a known wireless communication network.

FIG. 2 is a diagram illustrating an internal configuration of the security control system 100 according to an embodiment of the present invention.

2, the security control system 100 according to an exemplary embodiment of the present invention includes a collecting unit 110, an analyzing unit 120, an interlocking unit 130, a status handling unit 140, and a policy unit 150 ).

First, the collecting unit 110 collects various security logs through the IoT gateway 200. At this time, the security log may include an IoT terminal traffic log, IoT terminal status information, IoT gateway status information, and the like. In addition, the collection unit 110 may collect security logs that can indicate the status of the IoT terminal 201 or the IoT gateway 200.

Next, the analyzer 120 analyzes the IoT security log obtained by the collecting unit 110. FIG. The analysis unit 120 includes a monitoring unit 121, a correlation analysis unit 122, a correlation analysis unit 123 and a statistical analysis unit 124. The monitoring unit 121 monitors the IoT security logs, Or statistical analysis. In addition, the analysis unit 120 determines whether the IoT security logs violate the threshold value through analysis.

For this purpose, the IoT analysis unit 120 can inquire, store and utilize service information required for security related to security through interlocking with the IoT management server 300, , Association analysis, and statistical analysis can detect abnormal symptoms. At this time, the service information required for security may be IoT terminal management information and IoT service request customer information.

The monitoring unit 210 monitors the IoT security log collected by the collecting unit 110 to check whether there is an abnormal symptom, and if there is an abnormal symptom, an emergency response by the interlocking unit 130, which will be described later, is performed . When the monitoring unit 210 determines that there is no abnormality, the correlation analysis unit 122, the association analysis unit 123, and the statistical analysis unit 124 may sequentially analyze the response.

In addition, the analysis unit 120 performs correlation analysis on the IoT security by the correlation analysis unit 122, determines whether the threshold is violated for the correlation analysis, and then determines whether the threshold is violated (depending on the type of the threshold, Exceeding or not exceeding). When the threshold value is violated, an emergency response by the interlocking unit 130, which will be described later, is performed.

In addition, the analysis unit 120 performs association analysis on the IoT security by the association analysis unit 123, determines whether the threshold value is violated, and performs statistical analysis when the threshold value is not violated. Likewise, when the threshold value is violated, an emergency response by the interlocking unit 130, which will be described later, is performed.

In addition, the analysis unit 120 performs statistical analysis on the IoT security by the statistical analysis unit 124, and when the threshold value is violated, the emergency response by the interlocking unit 130, which will be described later, is performed. If the threshold value is not violated, monitoring by the monitoring unit 121 is continued.

At this time, the analysis unit 120 according to an embodiment of the present invention can perform correlation analysis, association analysis, and statistical analysis based on service information collected through interlocking with the IoT management server 300 as described above have. The interworking with the IOT management server 300 can be performed by the interlocking unit 130 described later.

In an exemplary embodiment, the analysis unit 120 may monitor the IoT gateway resources collected by the collection unit 110 to check for anomalous indications. The IoT gateway resource may be one of the security logs related to the IoT gate state information, and may be related to the CPU, memory, hard disk usage, network usage, etc. of the IoT gateway 200. The analyzer 120 can detect an abnormal symptom associated with the IoT gateway 200 by monitoring the IoT gateway resource.

In another exemplary embodiment, the analysis unit 120 may monitor the IoT equipment resources collected by the collection unit 110 to check for anomalous indications. The IoT device resource may be a security log related to the status information of the IoT terminal 201, and may be related to the CPU, memory, hard disk usage, and network usage of the IoT device. The analyzer 120 can detect an abnormal symptom associated with the IoT gateway 200 by monitoring the status information of the IoT terminal 201. [

In another embodiment, the analyzer 120 may monitor the IoT gateway security log collected by the collecting unit 110 to check for anomalous indications. The IoT gateway security log may be used to confirm the SRCIP security log information detected by the IoT gateway 200, and the analyzer 120 may monitor the IoT gateway security log to detect an abnormal symptom.

In the above embodiments, the analyzer 120 continuously monitors the security logs when an abnormal symptom is not detected in the IoT gateway resource, the IoT equipment resource, the IoT gateway security log, and if an abnormal symptom is found, (130) to take an emergency response.

Next, the interlocking unit 130 obtains service information related to security through interworking with the IoT management server managing the IoT terminal, and determines interworking with one or more external interworking terminals in response to an abnormal symptom. The abnormality symptom refers to a case where the analysis unit 120 determines that the abnormality is caused by the analyzing unit 120. The determination that the interlocking unit 130 interlocks with one or more external interlocking terminals may be referred to as an emergency response. The interlocking unit 130 according to an embodiment of the present invention may include a management server interlocking unit 131, an external device interlocking unit 132, and a security company interlocking unit 133.

As described in the description of the analysis unit 120, the management server interworking unit 130 interlocks with the IoT management server 300 to manage the IoT terminal management, for example, as security related service information, Information, IoT service request customer information, and the like can be stored and utilized. The service information may be based on the analysis unit 120 analyzing the IoT security log.

Next, the external device interlocking unit 132 decides to interlock with the external interlocking device such as a user terminal capable of executing a remote CCTV and a user SMS, an application, and a telephone in response to an abnormal symptom, judges whether further action is necessary do. The interlocking with the external interlocking device may be referred to as an emergency response, and the emergency response may be to inform the external interlocking device of an abnormal symptom. In a case where the abnormal symptom is solved due to interworking with the remote CCTV, the user SMS, the application, the telephone, or the like, that is, when no additional action is required, the interlocking unit 130 monitors the security logs I can go back. On the other hand, when it is determined that additional measures are necessary, it is notified to the situation measure unit 140.

In addition, the security company interworking unit 130 determines the interworking with the security company and determines whether further action is necessary. That is, when the abnormality symptom is eliminated due to the interworking with the security company, the interlocking unit 130 may return to the state where the collecting unit 110 monitors the security logs without further response. On the other hand, when it is determined that additional measures are necessary, it is notified to the situation measure unit 140.

Next, if the state controller 140 determines that additional measures are necessary despite the emergency action of the interlocking unit 130, the state action unit 140 may automatically perform the necessary state action to resolve the abnormal symptom, Performs an action or notifies the user of an anomaly that the user or guard company can carry out. The user or the security company can receive the alarm of the status action unit 140 through the device. At this time, the state action unit 140 may provide a guideline for the state action on the abnormal symptom based on the security-related service information acquired by the interlocking unit 130. [

Next, the policy unit 150 determines whether the policy is reflected in relation to the abnormal symptom and the state action after the state action of the state action unit 140. If the policy decision unit 150 determines that the policy is reflected, And reflects it to the gateway 200 security policy. In addition, the policy unit 150 may patch the software for the IOT terminal 201 with respect to the reflected policy.

FIG. 3 is a flowchart illustrating an operation method of the security control system 100 according to an embodiment of the present invention.

Referring to FIG. 3, the security management system 100 according to an embodiment of the present invention collects an IoT security log from an IoT gateway.

Next, the IoT gateway resource, the IoT device resource, and the IoT gateway security log are sequentially monitored in the collected security logs. IoT gateway resource, IoT device resource, and IoT gateway security log to monitor the security log of the next step if it detects abnormality in one or more cases.

Next, when it is determined that the monitoring of the IoT gateway resource, the IoT device resource, and the IoT gateway security log are all normal, correlation analysis, correlation analysis and statistical analysis are sequentially performed. If an anomaly is detected even in one of the analysis of correlation, association analysis and statistical analysis, the emergency response stage is entered and if the analysis is determined to be normal, the next stage analysis is performed. If all of the correlation, association, and statistical analysis turns out to be normal, go back to monitoring the IoT gateway resource.

Next, when an abnormal symptom is detected in the monitoring and analysis step, an emergency response step is entered. In the emergency response step, remote CCTV interworking or SMS interworking or application interworking or telephone interworking may be performed to solve the abnormal symptom.

Next, in spite of the emergency response step, it is judged whether additional situation measures are necessary to solve the abnormal symptom. If no further action is needed, return to the IoT Gateway Resource Monitoring phase. If additional situational action is required, situation actions can be taken to send a notification to perform one or more of a remote action or guardian action or a customer action. At this time, the status action may be an automatic action.

Next, when the situation action is completed, it is determined whether the policy need to be reflected. If it is determined that there is a need to reflect the policy, it may be reflected in the IoT general policy or the IoT security policy, or a patch for the IoT terminal may be performed. If it is determined that there is no need to reflect the policy, go back to monitoring the IoT gateway resource.

Hereinafter, embodiments in which the IOT security control system 100 is operated according to an embodiment of the present invention will be described.

≪ Example 1 >

Embodiment 1 is an embodiment for detecting malfunction of the IoT boiler.

First, the collecting unit 110 collects the temperature of the IoT boiler. The analysis unit 120 monitors the average temperature, and the statistical analysis unit 120 of the analysis unit 120 detects and analyzes an average temperature at the time of using the IoT boiler for one month by statistical analysis at the time of using the boiler.

At this time, if it is assumed that the detection temperature exceeds 500 degrees and the threshold value is 450 degrees, the analysis unit 120 generates an anomaly alarm and analyzes the detection temperature in real time. Next, the interlocking unit 130 checks the detailed information of the boiler by interlocking with the IoT management server 300 for managing the boiler, and shares the information about the abnormal symptom of the IoT boiler. In addition, the situation controller 140 provides a notification so that the situation can be taken by the boiler expert. After the situation action, the policy unit 150 can check whether there is any abnormality in the threshold setting policy and adjust the threshold value. At this time, the policy unit 150 may automatically change the threshold value according to the average statistics at the time of using the boiler, or may change the threshold value to the manual input value by the user so as to be a specific value (for example, 600 degrees) .

≪ Example 2 >

Embodiment 2 is an embodiment for detecting excessive traffic of the IoT refrigerator.

First, the collecting unit 110 acquires a traffic log of the IoT terminal 201 of the IoT refrigerator from the IoT gateway 200 connected to the IoT refrigerator. The analysis unit 120 analyzes the traffic log of the IoT terminal 201 collected by the collecting unit 110. At this time, the analysis unit 120 concludes that the average traffic generated in the IoT refrigerator in the IoT refrigerator can be obtained as 10 Mbps and the detection traffic exceeds 15 Mbps and exceeds the threshold value of 12 Mbps. Can be confirmed.

Next, the interlocking unit 130 interlocks with the IoT management server 300 that manages the IoT refrigerator and obtains service information of the IoT refrigerator and shares the refrigerator abnormality information. Based on the service information, the interlocking unit 130 informs the IoT refrigerator that an abnormal symptom has occurred by sending abnormal information through SMS or application through the corresponding refrigerator-owned customer contact information (mobile phone number).

In addition, the situation controller 140 blocks the traffic of the IoT refrigerator through the IoT gateway 200 and requests the IoT experts and security companies to analyze the cause of the abnormal traffic of the refrigerator. In one embodiment of the present invention, the state action unit 140 may take steps to upgrade the IoT refrigerator software when it is determined that the anomalous indication is due to its own bug in the IoT refrigerator internal software.

In addition, the policy unit 150 may automatically change the threshold to meet the one-month average statistics, or may manually change the threshold to 16 Mbps as the user's input.

≪ Example 3 >

Embodiment 3 is an embodiment related to blocking the access of the IoT smart refrigerator which is an unauthorized access device of the IoT smart TV.

The collecting unit 110 receives the communication of the access device of the IOT smart TV, and the analyzing unit 120 analyzes the communication of the unauthorized access devices during the communication of the access device through association analysis. At this time, if the analysis unit 120 can perform operation and information inquiry only on a smartphone or a tablet PC, it is determined that the access to the smart refrigerator other than the smart phone or the tablet PC is not related, and an abnormal symptom exists It can be judged.

Accordingly, the interlocking unit 130 obtains service information such as detailed information of the smart TV from the IoT management server 300, and confirms that there is an unauthorized access of the smart refrigerator. In addition, the situation controller 140 can block the traffic of the smart TV and notify the IoT specialist and the IoT refrigerator company that abnormal traffic of the refrigerator has occurred. Also, if it is determined that the unauthorized access is due to a bug in the IoT refrigerator software itself, the policy unit 150 may patch the software in the refrigerator. In addition, the policy unit 150 may update the relevant policy.

<Example 4>

Embodiment 4 is an embodiment related to detecting IoT microwave operating traffic when executing an IoT management application in a smartphone.

First, the collection unit 110 detects the execution of the IoT management application and the IoT microwave operation in the smartphone, and the analysis unit 120 generates the execution statistics of the IoT management application and the IoT microwave operating statistics. At this time, the analysis unit 120 may perform correlation analysis based on two or more different statistics.

If the operation of the IoT microwave oven is detected when the smartphone IoT management application is executed, since it is normal that only the inquiry traffic is generated in the IoT gateway 200 when the IoT management application is executed normally (i.e., there is no correlation) The analysis unit 120 can determine that there is no correlation and thus can check for anomalous indications.

Accordingly, the interlocking unit 130 notifies the user terminal of the abnormality symptom on the basis of the service information, and the status action unit 140 notifies the smartphone IoT expert and the IoT microwave service provider of the traffic for the abnormal condition. If it is determined that such a situation is a bug of the IoT management application software of the smartphone, the policy unit 150 can patch the software of the corresponding smart phone and reflect the policy.

The specific acts described in the present invention are, by way of example, not intended to limit the scope of the invention in any way. For brevity of description, descriptions of conventional electronic configurations, control systems, software, and other functional aspects of such systems may be omitted. Also, the connections or connecting members of the lines between the components shown in the figures are illustrative of functional connections and / or physical or circuit connections, which may be replaced or additionally provided by a variety of functional connections, physical Connection, or circuit connections. Also, unless explicitly mentioned, such as &quot; essential &quot;, &quot; importantly &quot;, etc., it may not be a necessary component for application of the present invention.

The use of the terms &quot; above &quot; and similar indication words in the specification of the present invention (particularly in the claims) may refer to both singular and plural. In addition, in the present invention, when a range is described, it includes the invention to which the individual values belonging to the above range are applied (unless there is contradiction thereto), and each individual value constituting the above range is described in the detailed description of the invention The same. Finally, the steps may be performed in any suitable order, unless explicitly stated or contrary to the description of the steps constituting the method according to the invention. The present invention is not necessarily limited to the order of description of the above steps. The use of all examples or exemplary language (e.g., etc.) in this invention is for the purpose of describing the present invention only in detail and is not to be limited by the scope of the claims, It is not. It will also be appreciated by those skilled in the art that various modifications, combinations, and alterations may be made depending on design criteria and factors within the scope of the appended claims or equivalents thereof.

The embodiments of the present invention described above can be implemented in the form of program instructions that can be executed through various computer components and recorded in a computer-readable recording medium. The computer-readable recording medium may include program commands, data files, data structures, and the like, alone or in combination. The program instructions recorded on the computer-readable recording medium may be those specifically designed and configured for the present invention or may be those known and used by those skilled in the computer software arts. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape, optical recording media such as CD-ROM and DVD, magneto-optical media such as floptical disks, medium, and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code, such as those generated by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware device may be modified into one or more software modules for performing the processing according to the present invention, and vice versa.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, Those skilled in the art will appreciate that various modifications and changes may be made thereto without departing from the scope of the present invention.

Accordingly, the spirit of the present invention should not be construed as being limited to the above-described embodiments, and all ranges that are equivalent to or equivalent to the claims of the present invention as well as the claims .

100: security control system 110:
120: analyzing unit 130:
140: Situation measure section 150: Policy section
200: IoT gateway 300: IoT management server

Claims (21)

As a security control system using the Internet of Things (IoT) gateway,
A collecting unit for collecting the IoT security log from the IoT gateway connected to one or more IoT terminals;
An analyzer for monitoring and analyzing the IoT security log to confirm an abnormal symptom;
An interworking unit for obtaining service information related to security through interworking with an IoT management server managing the IoT terminal and determining interworking with one or more external interworking terminals in response to the abnormal symptom;
A state action unit for performing a measure capable of solving the abnormal symptom or notifying the abnormal symptom to at least one external device;
It includes the policy department that determines and reflects the policy after the situation,
Wherein the analyzer monitors a security log comprising at least one of an IoT gateway resource, an IoT device resource, and an IoT gateway security log. The method according to claim 1,
Wherein the analyzing unit analyzes the IoT security log by at least one of correlation analysis, association analysis and statistical analysis. The method according to claim 1,
Wherein the analysis unit analyzes the IoT security log by analyzing whether one of the correlation analysis, association analysis or statistical analysis of the IoT security log violates a threshold value. The method according to claim 1,
Wherein the policy unit patches software for one or more IoT terminals for which the anomalous indications are detected. delete The method according to claim 1,
Wherein the external interlocking terminal comprises a user terminal capable of executing remote CCTV or SMS and applications. The method according to claim 1,
Wherein the security related service information comprises IoT terminal management information or IoT service request customer information. The method according to claim 1,
The policy that the policy reflects is either the IoT gateway general policy or the IoT gateway security policy. The method according to claim 1,
Wherein the notification of the abnormal symptom to one or more external devices is to notify the security company terminal or the customer terminal of the abnormal symptom. The method according to claim 1,
Wherein the status action unit further performs an action by remote control. As a security control method using an Internet of Things (IoT) gateway,
A collecting step of collecting a step-by-step IoT security log to an IoT gateway connected to one or more IoT terminals;
An analysis step of monitoring and analyzing the IoT security log and confirming an abnormal symptom;
Acquiring service information related to security through interworking with an IoT management server managing the IoT terminal and determining interworking with one or more external interworking terminals in response to the abnormal symptom;
Performing a measure capable of solving the abnormal symptom, or notifying the abnormal symptom to one or more external devices;
Including policy steps that determine and reflect the policy after the action,
Wherein the analyzing step monitors a security log comprising at least one of an IoT gateway resource, an IoT device resource, and an IoT gateway security log. 12. The method of claim 11,
Wherein the analyzing step analyzes the IoT security log by one or more of a correlation analysis, an association analysis, and a statistical analysis. 12. The method of claim 11,
Wherein the step of analyzing the IoT security log is to analyze whether one of the correlation analysis, association analysis or statistical analysis of the IoT security log violates the threshold. 12. The method of claim 11,
Wherein the policy step patches software for one or more IoT terminals for which the anomalous indication is detected. delete 12. The method of claim 11,
Wherein the external interworking terminal comprises a user terminal capable of executing remote CCTV or SMS and applications. 12. The method of claim 11,
Wherein the security related service information comprises IoT terminal management information or IoT service request customer information. 12. The method of claim 11,
The policy reflected by the policy step is an IoT gateway general policy or an IoT gateway security policy. 12. The method of claim 11,
Wherein the notification of the abnormal symptom to at least one of the external devices is to notify the security company terminal or the customer terminal of the abnormal symptom. 12. The method of claim 11,
Wherein the status action step further performs an action by remote control. A computer-readable recording medium recording a computer program for executing the method according to any one of claims 11 to 14 and 16 to 20.
KR1020150143542A 2015-10-14 2015-10-14 Method, system and computer-readable recording medium for security operation using internet of thing gateway KR101769442B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150143542A KR101769442B1 (en) 2015-10-14 2015-10-14 Method, system and computer-readable recording medium for security operation using internet of thing gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150143542A KR101769442B1 (en) 2015-10-14 2015-10-14 Method, system and computer-readable recording medium for security operation using internet of thing gateway

Publications (2)

Publication Number Publication Date
KR20170043895A KR20170043895A (en) 2017-04-24
KR101769442B1 true KR101769442B1 (en) 2017-08-30

Family

ID=58704232

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150143542A KR101769442B1 (en) 2015-10-14 2015-10-14 Method, system and computer-readable recording medium for security operation using internet of thing gateway

Country Status (1)

Country Link
KR (1) KR101769442B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20220072659A (en) 2020-11-25 2022-06-02 주식회사 푸시풀시스템 SECURITY CONSTRUCTION METHOD OF GATEWAY FOR IoT DEVICES BY USING IDENTITY-BASED CRYPTOGRAPHY BASED ON VIRTUAL BLOCKCHAIN
KR20230112819A (en) 2022-01-21 2023-07-28 주식회사 푸시풀 SECURITY CONSTRUCTION SYSTEM OF GATEWAY FOR IoT DEVICES BY USING IDENTITY-BASED CRYPTOGRAPHY BASED ON VIRTUAL BLOCKCHAIN AND ITS METHOD

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102119374B1 (en) 2019-11-25 2020-06-05 한국인터넷진흥원 Method and apparatus for taking action to the abnormal behavior of iot devices
KR102376433B1 (en) * 2020-06-15 2022-03-18 주식회사 시옷 A method of secure monitoring for multi network devices
KR102369991B1 (en) * 2020-09-09 2022-03-03 주식회사 시옷 Integrated management system for iot multi network secure

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20220072659A (en) 2020-11-25 2022-06-02 주식회사 푸시풀시스템 SECURITY CONSTRUCTION METHOD OF GATEWAY FOR IoT DEVICES BY USING IDENTITY-BASED CRYPTOGRAPHY BASED ON VIRTUAL BLOCKCHAIN
KR20230112819A (en) 2022-01-21 2023-07-28 주식회사 푸시풀 SECURITY CONSTRUCTION SYSTEM OF GATEWAY FOR IoT DEVICES BY USING IDENTITY-BASED CRYPTOGRAPHY BASED ON VIRTUAL BLOCKCHAIN AND ITS METHOD

Also Published As

Publication number Publication date
KR20170043895A (en) 2017-04-24

Similar Documents

Publication Publication Date Title
KR101769442B1 (en) Method, system and computer-readable recording medium for security operation using internet of thing gateway
US8949668B2 (en) Methods and systems for use in identifying abnormal behavior in a control system including independent comparisons to user policies and an event correlation model
US10601860B2 (en) Application platform security enforcement in cross device and ownership structures
KR101501669B1 (en) Behavior detection system for detecting abnormal behavior
US11381974B2 (en) Method and attack detection function for detection of a distributed attack in a wireless network
EP2835948B1 (en) Method for processing a signature rule, server and intrusion prevention system
US10826915B2 (en) Relay apparatus, network monitoring system, and program
EP3258661A1 (en) Detection of abnormal configuration changes
KR102376433B1 (en) A method of secure monitoring for multi network devices
JP2017528853A (en) How to detect attacks on computer networks
KR101837289B1 (en) Trust evaluation model and system in iot
Vidal et al. Framework for anticipatory self-protective 5G environments
US11153769B2 (en) Network fault discovery
US20220131905A1 (en) Method and Framework for Internet of Things Network Security
KR20130033161A (en) Intrusion detection system for cloud computing service
KR20200113836A (en) Apparatus and method for security control
KR102369991B1 (en) Integrated management system for iot multi network secure
US20200296119A1 (en) Apparatus and method for security control
KR20200054495A (en) Method for security operation service and apparatus therefor
KR102229613B1 (en) Method and apparatus for web firewall maintenance based on non-face-to-face authentication using maching learning self-check function
Wang et al. [Retracted] Industrial Information Security Detection and Protection: Monitoring and Warning Platform Architecture Design and Cryptographic Antitheft Technology System Upgrade
JP7290168B2 (en) Management device, network monitoring system, determination method, communication method, and program
KR20150119519A (en) Apparatus and Method for Controlling Permission for an Application Using Reputation Information

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal